Prompt injection attacks against AI coding agents work by embedding malicious instructions in content the agent reads during normal operation β GitHub PR comments, web search results, and third-party skill files. A single crafted string can redirect Claude Code, Gemini CLI, or GitHub Copilot to execute arbitrary commands, exfiltrate credentials, or silently follow attacker-controlled instructions with no audit trail left behind. A proof-of-concept documented this week achieved an 85% success rate across all three agents using a single crafted PR comment. The defenses exist: input validation on untrusted tool outputs, sandboxed execution, manual skill vetting, and approval gates on sensitive tool calls β but none of them are on by default.β¦
