A single word broke GitHub's newest security boundary, and the word was "Additionally."

On 6 July, Noma Labs' Sasi Levi published GitLost: an indirect prompt-injection attack against GitHub Agentic Workflows, the plain-Markdown automation feature GitHub launched in technical preview, backed by Claude, Copilot, Gemini or Codex. An unauthenticated attacker opens an ordinary-looking issue in a public repository. Inside the issue body, in plain English, sit hidden instructions. When the workflow's agent reads the issue it follows them instead of its operator's, fetches a README from a private repository in the same organisation, and posts the contents as a public comment for anyone to read. No credentials, no exploit code, no coding skill. The proof of concept, issue #153 and a public workflow run, leaked a file from a private repo to the open internet. It was disclosed to GitHub, who acknowledged it, and picked up by The Hacker News, Dark Reading and SecurityWeek.

The obvious write-up is "prompt injection strikes again, patch incoming." That's true and it's boring. The part worth stopping on is that GitHub didn't get this wrong through carelessness. By the standards of conventional application security it did nearly everything right, and the thing still leaked.

The pitch, stated fairly

GitHub built Agentic Workflows security-first, and the documentation is not shy about it. Workflows are read-only by default. Write operations, such as creating issues, adding comments or opening pull requests, are only permitted through explicitly declared "safe-outputs" in the workflow's YAML frontmatter. The human-authored Markdown is compiled into a hardened .lock.yml Actions file, so what runs is a reviewed artifact rather than free-floating natural language. This is the allowlist-everything, least-privilege posture that security reviewers have been asking software vendors to adopt for twenty years. On paper it is a model citizen.

Noma's pitch sits on top of that. The company sells agentic-AI security: runtime enforcement, posture management, red teaming. GitLost is the latest in a series of named findings (GeminiJack, DockerDash, GrafanaGhost) that double as research and as marketing. The implied conclusion is that GitHub's built-in guardrails are not enough, and you need a layer like theirs watching the agent at runtime. Both halves deserve a fair hearing, so let me separate the pitch from what's actually demonstrable.

What can be verified, and what it means

What's demonstrable is narrow and solid. A specific, real workflow configuration (one triggered by an issue, granted read access to other repositories in the org, and permitted to post comments) was reproducibly turned into a data-exfiltration channel by text a stranger typed into a public issue. GitHub's guardrails were supposed to stop exactly this. They mostly did, until Levi prefaced the malicious request with "Additionally", at which point the model reframed the output rather than refusing it. That detail is the whole story in miniature. The final trust boundary in this system was not enforced by the compiled lockfile, the permission scopes, or the safe-outputs allowlist. It was enforced by the model deciding, in the moment, whether a given sentence counted as an instruction or as data. A model's decision is a probability, not a rule.

This is the uncomfortable centre of agentic security, and Noma states it plainly in their own write-up: in traditional systems trust boundaries are enforced by code; in agentic systems they are enforced partly by the model's behaviour, and models are built to follow instructions. You can lower the probability of the wrong behaviour. You cannot drive it to zero, because the component making the call is nondeterministic by construction. Cisco's security team put it as bluntly as anyone this year: prompt injection is the new SQL injection, and guardrails aren't enough.

The SQL-injection comparison is the one every vendor reaches for, and it's worth handling carefully, because the disanalogy teaches more than the analogy. SQL injection got largely solved, and it got solved by a deterministic separation of code from data: parameterised queries hand the database the command and the values through separate channels, so no amount of cleverness in the value can change the command. There is no parameterised query for natural language. The instruction and the untrusted data arrive as the same substance, tokens, and the model's job is to make meaning of all of it at once. That belongs to the medium itself, not to any one model you could swap in.

The strongest case against my read

Here is where the honest counter-argument lives, and it comes from someone who has thought about this longer than most vendors. Simon Willison's framing of the lethal trifecta (private data, untrusted content, and a path to send data outward) ends on a genuinely hopeful note: hold any two and the agent stays safe. The danger only appears when all three are present at once. By that logic GitLost is not architectural doom at all. It is a misconfiguration. Someone stood up a workflow that read untrusted issues, held cross-repo read access, and could post publicly, and thereby assembled all three legs of the trifecta with their own hands. Remove any one, by isolating untrusted input, scoping out the private repos, or blocking the public output path, and the attack evaporates. GitHub's defaults, a defender would point out, don't grant that combination; a person had to opt into it. Noma's own recommendations say precisely this: scope permissions, don't let agents post publicly in response to untrusted content, separate user input from the instruction context.

That's a fair point and I want to give it its full weight. The trifecta really is a design property you can choose not to instantiate, and a disciplined team that treats every agent tool as a potential exfiltration channel can build workflows that never expose all three legs together. GitLost does not prove that safe agentic automation is impossible.

What it does show is which way the gravity runs. The entire value proposition of a feature like Agentic Workflows is reach. An agent that can read across your repositories, act on issues and respond in public is more useful than one that can't, and every increment of usefulness adds a leg to the trifecta. The people GitHub is courting with plain-Markdown authoring are, by design, the ones who don't want to think in YAML permission scopes; handing them natural-language workflow-writing is handing trust-boundary decisions to exactly the audience least equipped to see the boundary. "Safe by default" holds right up until the moment the feature does something worth doing. The trifecta isn't a mistake people make despite the product. It's the direction the product points.

The bet

So the interesting question isn't whether GitHub patches GitLost. It's what class of fix ships. If the response is a better system prompt, a tuned refusal, or another guardrail model watching the first, that's more probability-lowering, and the next researcher will find the next "Additionally". The approaches with an actual security argument are the architectural ones that treat the model as untrusted and put deterministic machinery around it. CaMeL is the reference example: a privileged component generates the plan, a quarantined component processes untrusted data, and a separate interpreter tracks provenance and enforces policy before any tool call, so a leaked instruction never reaches a privileged action in the first place. The security guarantee lives outside the model's behaviour, where it can be reasoned about. The trouble, as NeuralTrust noted, is that nearly a year after CaMeL almost nobody ships it. It is harder to build and it makes the agent less fluid, which is to say less marketable.

That is the bet worth watching, and it is falsifiable. Over the next year the dominant coding-agent platforms will either move their trust boundaries into deterministic, code-enforced separation of instructions from data, or they'll keep enforcing them "partly by the model's behaviour" and keep calling each reproduced bypass a misconfiguration. If GitHub's own remediation turns out to be a guardrail tweak rather than an architectural boundary, that tells you which path the incumbents have chosen. And if it's the guardrail path, GitLost won't be the last name on Noma's list. It'll just be the one people happened to remember, because it fell to a single adverb.