{"slug": "promptblock-detect-prompt-injections-in-github-issues", "title": "Promptblock – detect prompt injections in GitHub issues", "summary": "Promptblock, a new GitHub App, detects prompt-injection attempts in GitHub issues and comments by scanning hidden HTML comments that AI agents read via the API but humans do not see. The app uses a bundled ML-based classifier to flag malicious payloads without exposing attack strings, addressing a security gap where AI agents ingest invisible content.", "body_md": "A GitHub App that scans issues and comments for prompt-injection attempts — including payloads hidden where humans never look but AI agents always read.\n\nAI agents increasingly read GitHub issues and comments straight from the API. The text they ingest isn't always the text a human sees — and that gap is exactly where prompt injection hides.\n\nSpecializes in payloads smuggled inside HTML comments\n(``\n\n) — dropped by GitHub's renderer,\nbut ingested in full by any agent reading the raw body.\n\nEvery segment runs through a tiered scanner cascade backed by a bundled, ML-based prompt-injection classifier — no external API call at scan time.\n\nFlags the issue with a `possible-prompt-injection`\n\nlabel and one warning comment. It reports *where* and\n*how risky* — never the verbatim attack string.\n\nThis issue body looks empty to a reviewer. An agent reading it via the REST/GraphQL API sees every word.\n\n```\nThanks for the report — looks good to me! 👍\n\n```\n\nGitHub's Markdown renderer drops the comment, so it's invisible in the thread. promptblock splits the body into visible text and each hidden comment, then scans every segment independently — so a benign visible body can't mask a malicious hidden one.\n\nThree steps, on every `issues`\n\nand\n`issue_comment`\n\nevent.\n\n`possible-prompt-injection`\n\nlabel and one warning\ncomment — explicitly noting when the content was hidden.\nA walk through real issues — a hidden injection attempt that promptblock catches, and benign content that it correctly lets through.\n\npromptblock is a hosted GitHub App. Add it to your account or org and it starts scanning new issues and comments right away — nothing to configure.\n\n`issues`\n\nand `issue_comment`\n\nevents.\nTo stop it, deselect repositories or uninstall it from\n**Settings → Applications → Installed GitHub Apps**.\n\nA multi-stage Docker image is included, with the ~22 MB ONNX model baked in — no download at runtime.\n\n```\n# build\ndocker build -t promptblock .\n\n# run (point the GitHub App webhook at the container)\ndocker run -p 3000:3000 \\\n -e APP_ID=... -e WEBHOOK_SECRET=... \\\n -e PRIVATE_KEY=\"$(cat private-key.pem)\" \\\n promptblock\n```\n\nFull setup, local webhook testing via smee.io, and the GitHub App\nregistration flow are in the\n[project README](https://github.com/ryandens/promptblock#readme).", "url": "https://wpnews.pro/news/promptblock-detect-prompt-injections-in-github-issues", "canonical_source": "https://ryandens.github.io/promptblock/", "published_at": "2026-06-22 00:20:38+00:00", "updated_at": "2026-06-22 00:25:59.154278+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "machine-learning", "developer-tools"], "entities": ["Promptblock", "GitHub", "ONNX"], "alternates": {"html": "https://wpnews.pro/news/promptblock-detect-prompt-injections-in-github-issues", "markdown": "https://wpnews.pro/news/promptblock-detect-prompt-injections-in-github-issues.md", "text": "https://wpnews.pro/news/promptblock-detect-prompt-injections-in-github-issues.txt", "jsonld": "https://wpnews.pro/news/promptblock-detect-prompt-injections-in-github-issues.jsonld"}}