This work addresses a novel class of workflow-level injection attacks—Agentic Workflow Injection (AWI)—that exploit the direct incorporation of untrusted event payloads (e.g., issue or pull request content) into LLM-driven GitHub Actions prompts. The study presents the first systematic characterization of AWI vulnerabilities and introduces TaintAWI, a taint analysis framework tailored for AI-automated workflows. By modeling event contexts, prompt boundaries, model outputs, and script semantics, TaintAWI precisely tracks the flow of untrusted inputs to sensitive operations. Evaluation across 13,392 real-world workflows uncovered 519 potential vulnerabilities, of which 496 were confirmed exploitable (95.6% precision), including 343 zero-day flaws; responsible disclosure has already led to 24 fixes.

GitHub Actions is increasingly used to deploy LLM-based agents for repository-centric tasks such as issue triage, pull-request review, code modification, and release assistance. These agentic workflows extend traditional CI/CD automation with agentic capabilities but also create a new injection surface. In this paper, we introduce Agentic Workflow Injection (AWI), a workflow-level injection flaw where untrusted GitHub event context, such as issue bodies, pull-request descriptions, or comments, is incorporated into agent prompts or agent-consumed inputs and converted into attacker-influenced behavior through agent tools or downstream workflow logic. We identify two core AWI patterns: Prompt-to-Agent (P2A), where untrusted content reaches an agent prompt boundary, and Prompt-to-Script (P2S), where attacker influence propagates through model- or agent-derived outputs into later scripts. We present the first systematic study of AWI in GitHub Actions. We characterize 1,033 real-world AI-assisted actions and extract AWI-specific taint specifications, including prompt boundaries, derived outputs, agentic capabilities, and access-control interfaces. Based on these specifications, we design TaintAWI, a taint-analysis tool that tracks flows from untrusted event context to agent prompt inputs and security-sensitive workflow sinks. Applying TaintAWI to 13,392 real-world agentic workflows from 10,792 repositories, we report 519 potential AWI vulnerabilities, of which 496 are confirmed exploitable under our threat model, yielding a precision of 95.6%. Among them, 343 are previously unknown zero-day vulnerabilities. We prioritized disclosure for 187 zero-day cases, received 26 maintainer responses, and 24 cases have been accepted or fixed at the time of writing.