agentic-sdlc-intake-attack

Incident Threat Surface

Agentic Collaboration-Plane Injection targets the boundary between human-readable collaboration and machine action. The attacker does not need direct repository write access if an agent can be induced to treat comment-supplied material as task input.

Assets

Attackers

Entry Surfaces

Trust Boundary

Natural-language collaboration content must not cross directly into file execution, shell execution, dependency installation, test execution, or credential-bearing environments.

External issue and PR content can be evidence. It cannot become instruction without an explicit policy transition.

Agent-Specific Risk

The same comment that a human maintainer might distrust can look task-relevant to an autonomous agent because it is embedded in the issue thread the agent was asked to solve. The alignment between the comment and the issue is a legitimacy signal, not proof of safety.

Risk increases when an agent can:

Required Boundary Control

Any artifact supplied outside the repository’s trusted contribution path must be handled as hostile until a maintainer explicitly approves a narrowly scoped action.

The safe default is:

  1. Preserve comment provenance.
  2. Quarantine the artifact outside the worktree.
  3. Hash and list only.
  4. Run static inspection only.
  5. Require human approval before extraction, execution, import, build, or test.