the most interesting part here isn't prompt injection worked, it's why the agent had read access to private repo at all while triaging a public issue.

an agent responding to public issue should only ever see context limited to that repo.

it seems like with the evolution of AI - we are slowly missing out basic security practices.

Agreed, hard enforced by code. Surprised to see many comments here finding it reasonable that the agent could reply with private repo information on a question posted on a public repo, which IMHO is obviously a bug.