Comment and Control: Hijacking Agentic Workflows via Context-Grounded Evolution
Authors: Neil Fendley, Zhengyu Liu, Aonan Guan et al.
Summary
The authors introduce JAW, the first framework to detect and exploit vulnerabilities in agentic workflows (like GitHub Actions and n8n) by hijacking LLM agents via adversarially crafted inputs (e.g., GitHub issue comments). Their novel Context-Grounded Evolution approach evolves inputs under contexts derived from hybrid program analysis: static path-feasibility analysis (identifying feasible agent-invocation paths), dynamic prompt-provenance analysis (tracking how inputs are embedded into LLM context), and capability analysis (identifying agent actions and restrictions). They show 4,714 GitHub workflows and 8 n8n templates can be hijacked for credential exfiltration and arbitrary command execution.
Main takeaways:
- Agentic workflows integrate LLMs into automation platforms (GitHub Actions, n8n), exposing a new attack surface: adversaries can craft inputs (e.g., issue comments) to manipulate the LLM agent.
- JAW uses Context-Grounded Evolution, which evolves agentic workflow inputs under contexts derived from three analyses: static path-feasibility, dynamic prompt-provenance, and capability analysis.
- Static path-feasibility analysis identifies feasible agent-invocation paths and the input constraints needed to trigger them.
- Dynamic prompt-provenance analysis tracks how adversarial input is transformed and embedded into the LLM's context window.
- Evaluation shows 4,714 GitHub workflows and 8 n8n templates can be hijacked, including official Actions for Claude Code, Gemini CLI, Qwen CLI, and Cursor CLI.
Relevance
Highly relevant to my work on conditional behavior and installation-path equivalence. This exploits how specific inputs (like persona markers or trigger phrases) steer LLM behavior in agentic workflows, similar to my work on marker implantation and pretraining backdoors. The prompt-provenance analysis—tracking how inputs are embedded and transformed in context—parallels my investigation of how persona prompts and markers condition model outputs. The core mechanism (injecting text to hijack behavior) is essentially activation steering via adversarial prompt construction.
Threat model
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
Abstract
arXiv:2605.11229v1 Announce Type: new Abstract: Automation platforms such as GitHub Actions and n8n are increasingly adopting so-called agentic workflows, which integrate Large Language Model (LLM) agents for tasks such as code review and data synchronization. While bringing convenience for developers, this integration exposes a new risk: An adversary may control and craft certain inputs, such as GitHub issue comments, to manipulate the LLM agent for unwanted actions, such as credential exfiltration and arbitrary command execution. To our knowledge, no prior academic work has studied such a risk in agentic workflows. In this paper, we design the first detection and exploitation framework, called JAW, to hijack agentic workflows hosted on automation platforms via a novel approach called Context-Grounded Evolution. Our key idea is to evolve agentic workflow inputs under the contexts derived from hybrid program analysis for hijacking purposes. Specifically, JAW generates agentic workflow contexts through three analyses: (i) static path-feasibility analysis to identify feasible agent-invocation paths and the input constraints required to trigger them, (ii) dynamic prompt-provenance analysis to determine how that input is transformed and embedded into the LLM context, and (iii) capability analysis to identify the actions and restrictions available to the agent at runtime. Our evaluation of JAW on GitHub workflows and n8n templates showed that 4714 GitHub workflows and eight n8n templates can be successfully hijacked, for example, to leak user credentials. Our findings span 15 widely-used GitHub Actions, including official GitHub Actions for Claude Code, Gemini CLI, Qwen CLI, and Cursor CLI, and two official n8n nodes. We responsibly disclosed all findings to the affected vendors and received many acknowledgements, fixes, and bug bounties, notably from GitHub, Google, and Anthropic.