Summary
The gh-aw compiler generates Upload agent artifacts steps without a retention-days: key, so they inherit GitHub Actions' 90-day default. These artifacts contain agent-stdio.log (full execution stream), mcp-logs/ (per-call MCP request/response pairs), prompt.txt (rendered prompt including any cache-memory injections), github_rate_limits.jsonl (token-type fingerprint), and safeoutputs.jsonl. Any agent running in the same repository whose tool allowlist includes list_workflow_runs, list_workflow_run_artifacts, and download_workflow_run_artifact — all part of the default repos toolset — can download the full execution record of any prior run within that 90-day window. The activation artifact already sets retention-days: 1; the agent artifact does not, creating an unintended asymmetry. The 90-day window also closes the XPIA feedback loop: a running cross-prompt injection attack can confirm whether injected content reached the victim agent's context by reading the victim run's prompt.txt artifact using only read-only tools.
Affected Area
Compiler default / artifact persistence boundary — Upload agent artifacts step generated for every compiled workflow. Affects all gh-aw deployments where the repos toolset (default) is granted, not only specialized egress-probing profiles.
Reproduction Outline
- Compile any gh-aw workflow; observe the generated
Upload agent artifacts step in the .lock.yml — no retention-days: key is present (contrast with the Upload activation artifact step which sets retention-days: 1).
- After the workflow runs, a second agent in the same repository with
list_workflow_runs, list_workflow_run_artifacts, and download_workflow_run_artifact in its allowlist calls those three tools in sequence to locate and download the agent artifact from any prior run within 90 days.
- The downloaded ZIP contains
agent-stdio.log, mcp-logs/, prompt.txt, github_rate_limits.jsonl, and safeoutputs.jsonl — the complete internal execution record of the prior agent.
github_rate_limits.jsonl with "limit":15000 fingerprints a GitHub App installation token without any explicit secret-read permission.- For an active XPIA scenario: read the victim run's
prompt.txt to confirm whether injected content reached the victim agent's context — no write permission required.
Observed Behavior
Agent artifact defaults to 90-day retention and includes full MCP execution logs, rendered prompts, and rate-limit telemetry. Any agent in the same repo with repos toolset access can retrieve complete execution history of prior agents for up to 90 days.
Expected Behavior
Agent artifact should default to retention-days: 1 (matching the activation artifact) so execution internals are not persistently accessible across runs. Alternatively, sensitive log paths (mcp-logs/, agent-stdio.log) should be excluded or separated into a restricted artifact, and artifact download should optionally be scopeable to the current run only.
Security Relevance
The cross-run artifact channel enables information gathering (prior prompts, tool I/O, token-type fingerprinting) that workflow authors granting the standard repos toolset would not anticipate. In XPIA scenarios it provides a read-only confirmation mechanism, strengthening attack chains without requiring any write permission. For private repositories the impact is higher because artifacts are not publicly accessible, giving an attacker-controlled agent access to data that is otherwise restricted.
Additional Context
If retaining full 90-day agent artifacts is by design (e.g., for debugging), this assumption should be documented in the gh-aw security architecture so deployers of private repositories understand that granting the repos toolset gives agents access to prior execution logs. Currently no documentation addresses artifact persistence as a cross-run data channel.
gh-aw version: v0.68.3
Original finding: https://github.com/githubnext/gh-aw-security/issues/1944
Generated by File Issue · ● 242.8K · ◷
Summary
The gh-aw compiler generates
Upload agent artifactssteps without aretention-days:key, so they inherit GitHub Actions' 90-day default. These artifacts containagent-stdio.log(full execution stream),mcp-logs/(per-call MCP request/response pairs),prompt.txt(rendered prompt including any cache-memory injections),github_rate_limits.jsonl(token-type fingerprint), andsafeoutputs.jsonl. Any agent running in the same repository whose tool allowlist includeslist_workflow_runs,list_workflow_run_artifacts, anddownload_workflow_run_artifact— all part of the defaultrepostoolset — can download the full execution record of any prior run within that 90-day window. The activation artifact already setsretention-days: 1; the agent artifact does not, creating an unintended asymmetry. The 90-day window also closes the XPIA feedback loop: a running cross-prompt injection attack can confirm whether injected content reached the victim agent's context by reading the victim run'sprompt.txtartifact using only read-only tools.Affected Area
Compiler default / artifact persistence boundary —
Upload agent artifactsstep generated for every compiled workflow. Affects all gh-aw deployments where therepostoolset (default) is granted, not only specialized egress-probing profiles.Reproduction Outline
Upload agent artifactsstep in the.lock.yml— noretention-days:key is present (contrast with theUpload activation artifactstep which setsretention-days: 1).list_workflow_runs,list_workflow_run_artifacts, anddownload_workflow_run_artifactin its allowlist calls those three tools in sequence to locate and download theagentartifact from any prior run within 90 days.agent-stdio.log,mcp-logs/,prompt.txt,github_rate_limits.jsonl, andsafeoutputs.jsonl— the complete internal execution record of the prior agent.github_rate_limits.jsonlwith"limit":15000fingerprints a GitHub App installation token without any explicit secret-read permission.prompt.txtto confirm whether injected content reached the victim agent's context — no write permission required.Observed Behavior
Agent artifact defaults to 90-day retention and includes full MCP execution logs, rendered prompts, and rate-limit telemetry. Any agent in the same repo with
repostoolset access can retrieve complete execution history of prior agents for up to 90 days.Expected Behavior
Agent artifact should default to
retention-days: 1(matching the activation artifact) so execution internals are not persistently accessible across runs. Alternatively, sensitive log paths (mcp-logs/,agent-stdio.log) should be excluded or separated into a restricted artifact, and artifact download should optionally be scopeable to the current run only.Security Relevance
The cross-run artifact channel enables information gathering (prior prompts, tool I/O, token-type fingerprinting) that workflow authors granting the standard
repostoolset would not anticipate. In XPIA scenarios it provides a read-only confirmation mechanism, strengthening attack chains without requiring any write permission. For private repositories the impact is higher because artifacts are not publicly accessible, giving an attacker-controlled agent access to data that is otherwise restricted.Additional Context
If retaining full 90-day agent artifacts is by design (e.g., for debugging), this assumption should be documented in the gh-aw security architecture so deployers of private repositories understand that granting the
repostoolset gives agents access to prior execution logs. Currently no documentation addresses artifact persistence as a cross-run data channel.gh-aw version: v0.68.3
Original finding: https://github.com/githubnext/gh-aw-security/issues/1944