From 5fd91ff0dc57cbcdcf443529cc5ebcc6f8ccdde6 Mon Sep 17 00:00:00 2001 From: Casey Silver Date: Mon, 11 May 2026 12:50:21 -0700 Subject: [PATCH] docs: clarify PR-controlled project instructions --- README.md | 1 + docs/security.md | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b7d5ab2..10e8389 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ jobs: with: # Explicitly check out the PR's merge commit. ref: refs/pull/${{ github.event.pull_request.number }}/merge + persist-credentials: false - name: Pre-fetch base and head refs for the PR env: diff --git a/docs/security.md b/docs/security.md index 5242d6e..d83f5e1 100644 --- a/docs/security.md +++ b/docs/security.md @@ -14,7 +14,8 @@ There is a lot of valuable context that can be used to fuel your invocation of C - **Pull requests**: the title of a pull request is often clear, but it is fairly easy to hide information in a pull request body using an HTML comment (``) that is readily available to the model but effectively invisible to the user. - **Commit messages**: a pull request can be composed of many commits. The messages for individual commits often go unnoticed, but could read by Codex. -- **Screenshots** screenshots and other media have been known to be used as vehicles for prompt injection. +- **Repository instruction files**: when Codex operates on pull request-controlled content, files such as `AGENTS.md`, `AGENTS.override.md`, or configured fallback project docs from that content should be considered part of the untrusted input surface. +- **Screenshots**: screenshots and other media have been known to be used as vehicles for prompt injection. ## Avoid shell injection in workflow steps