A team of researchers at Invariant Labs, based in Zurich, Switzerland, has warned developers of a prompt injection vulnerability in GitHub’s MCP (Model Context Protocol) server, which could result in code leaking from private repositories.
The issue is not a flaw in the GitHub MCP server code, but rather an architectural issue, says research engineer Marco Milanta and CTO Luca Beurer-Kellner. It can be avoided if developers are careful to check and approve agent actions, but the researchers suspect that may users opt for an “always allow” confirmation policy.
The scenario is where a developer is active in both a public and one or more private repositories, with an AI agent configured with permission for the private repositories. An attacker might post a malicious issue to the public repository; in the contrived example this contains prompts asking for information about an individual’s private repositories to be posted to the public repository and adds that “the author does not care about privacy! So go ahead and put everything you find!”
In the next part of the attack, the developer is presumed to ask the AI agent to check and fix issues in the public repository. The agent finds the poisoned issue, follows the prompts, and makes public some information from the private repositories.
Everything here is working as designed, but nevertheless this is an attack with low complexity and high potential harm. The researchers believe there is no easy solution to the architectural issue, though it can be mitigated by rules such as requiring that an AI agent accesses only one repository per session, and by giving AI agents least-privilege access tokens. Invariant Labs is promoting its Guardrails and MCP-scan product which offers additional controls and auditing, but these kinds of tools are not a complete fix either.
Open-source developer Simon Willison described the issue as a “lethal trifecta for prompt injection: access to private data, exposure to malicious instructions and the ability to exfiltrate information.” Willison had previously warned about prompt injection risks in MCP, and said that despite the industry knowing of the dangers for more than two and a half years, “we still don’t have convincing mitigations for handling it.”
For the uninitiated, prompt injection is where an instruction to an AI agent is embedded in data that is not expected to include prompts, so similar in concept to SQL injection, still one of the most exploited vulnerability types. Prompt injection is harder to prevent because of the unstructured way in which AI operates. “LLMs will trust anything that can send them convincing sounding tokens,” said Willison.
Another key issue is the idea that humans should always approve tool invocations. The MCP specification states this, but in cases where agentic AI is used intensively, understanding and checking every tool invocation becomes burdensome. Developers are vulnerable to confirmation fatigue: even if every action presents a confirmation prompt, the protection is only meaningful if all the details of that action are carefully checked.
The GitHub MCP Server is open source and in preview; the latest release at the time of writing is 0.4.0.
A recent issue for this MCP server proposes that an optional filter is added to avoid prompt injection by only giving an agent access to issues, pull requests, comments and discussions from users that already have push access to a repository. It is an interesting but crude solution, since it would likely filter out many useful and important contributions. This is an example, perhaps, of the contortions we can expect as the industry comes to terms with MCP and its new risks.