Index · Security Assessment · Capabilities Analysis
Classification: Internal — For Repository Maintainers and Organization Administrators
Companion Document: security-assessment.md · warning-blast-radius.md
This document provides precise, step-by-step procedures for taking control of a security incident involving the github-minimum-intelligence (GMI) agent. It covers containment, manual file deletion of compromised artifacts, disabling the workflow agent, and stopping any existing GitHub Actions runs.
Use this plan when:
- You suspect the agent has been compromised or is behaving unexpectedly.
- Unauthorized commits, branches, or workflow files have appeared.
- Secrets may have been exfiltrated.
- The agent is running autonomously and must be stopped immediately.
Objective: Immediately cancel all running and queued GitHub Actions workflow runs.
Time target: Minutes 0–2
- Navigate to the repository Actions tab.
- For every workflow run with status
In progressorQueued:- Click the run to open it.
- Click Cancel workflow run (top right).
- Repeat for all 24 organization repositories if cross-repo compromise is suspected.
# Cancel all in-progress runs for this repository
gh run list --status in_progress --json databaseId --jq '.[].databaseId' | \
xargs -I {} gh run cancel {}
# Cancel all queued runs
gh run list --status queued --json databaseId --jq '.[].databaseId' | \
xargs -I {} gh run cancel {}# For every repository in the organization
for repo in $(gh repo list japer-technology --json name --jq '.[].name'); do
echo "Cancelling runs in $repo..."
gh run list --repo "japer-technology/$repo" --status in_progress \
--json databaseId --jq '.[].databaseId' | \
xargs -I {} gh run cancel {} --repo "japer-technology/$repo"
done# Disable the agent workflow so no new runs can start
gh workflow disable "github-minimum-intelligence-agent.yml"Verification: Confirm under Actions → github-minimum-intelligence-agent that the badge reads "This workflow is disabled" and no runs are in progress.
Objective: Prevent further damage by isolating credentials, access, and the agent runtime.
Time target: Minutes 2–10
| Secret | Where to rotate | Command / Location |
|---|---|---|
ANTHROPIC_API_KEY |
console.anthropic.com | Regenerate the key and update the repo secret |
OPENAI_API_KEY |
platform.openai.com | Regenerate if configured |
GITHUB_TOKEN |
Auto-expires when the workflow ends | Verify no persistent tokens were created |
APP_PRIVATE_KEY |
GitHub App settings → Keys | Regenerate the private key |
| Any other provider keys | Respective provider consoles | Rotate and update repo secrets |
# Update a repository secret (after rotating the value at the provider)
gh secret set ANTHROPIC_API_KEY --body "sk-new-rotated-key-value"- Enable branch protection on
main(if not already):- Require pull request reviews before merging.
- Require status checks to pass.
- Restrict who can push directly.
- Audit collaborator list: Remove any unexpected users or pending invitations.
- Review GitHub App installations: Revoke any unrecognised App installations on the repository.
If the agent is still accepting issue-triggered commands, open an issue instructing it to cease all autonomous operations.
Note: This is a software-level instruction. It is not a substitute for disabling the workflow (Step 1.4). Always disable the workflow first.
Objective: Remove any files the agent created or modified without authorisation.
Time target: Minutes 10–60
# Review recent commits (last 24 hours)
git log --all --oneline --since="24 hours ago"
# Show files changed in the last N commits
git diff --name-only HEAD~10
# Find new or modified workflow files
find .github/workflows -type f -newer security-assessment.md -ls
# Find new or modified files in the agent directory
find .github-minimum-intelligence -type f -newer security-assessment.md -lsIf the agent injected new workflow files:
# Delete the specific unauthorized workflow file
git rm .github/workflows/<unauthorized-workflow>.yml
# Commit the deletion
git commit -m "incident: remove unauthorized workflow file"
git push origin main# List all remote branches
git branch -r
# Delete each unauthorized branch
git push origin --delete <unauthorized-branch-name># Revert a specific commit (creates a new commit that undoes the changes)
git revert <commit-hash> --no-edit
git push origin mainIf agent session or state files have been tampered with:
# Remove all agent state (conversations and issue mappings)
git rm -r .github-minimum-intelligence/state/sessions/*
git rm -r .github-minimum-intelligence/state/issues/*
git commit -m "incident: purge agent state files"
git push origin mainIf cross-repository contamination is suspected, repeat steps 3.1–3.5 for every repository in the organization:
for repo in $(gh repo list japer-technology --json name --jq '.[].name'); do
echo "Auditing $repo..."
gh repo clone "japer-technology/$repo" "/tmp/$repo" -- --depth=50
cd "/tmp/$repo"
git log --all --oneline --since="24 hours ago"
cd -
doneObjective: Ensure the agent workflow is safe before any re-enablement.
Time target: Hours 1–24
Compare the current workflow against the known-good version:
# Diff the installed workflow against the upstream template
diff .github/workflows/github-minimum-intelligence-agent.yml \
.github-minimum-intelligence/install/github-minimum-intelligence-agent.ymlVerify:
- The
authorizationstep still checks collaborator permissions. - No unexpected
schedule:,workflow_dispatch:, orpush:triggers have been added. - No additional steps, jobs, or scripts have been injected.
- Environment variables and secrets match the expected set.
# Check for modifications to lifecycle scripts
git diff HEAD~20 -- .github-minimum-intelligence/lifecycle/
git diff HEAD~20 -- .github-minimum-intelligence/.pi/Verify:
-
agent.tshas not been modified to bypass safety checks. -
APPEND_SYSTEM.mdhas not been altered with malicious instructions. - No new skills have been added to
.pi/skills/without authorisation.
Before re-enabling the workflow, implement the recommendations from security-assessment.md Section 12:
- Restrict token scope: Use a fine-grained personal access token scoped to this repository only.
- Enable branch protection: Require pull request reviews for all changes.
- Add network egress controls: Consider a self-hosted runner with firewall rules.
- Add a command allowlist: Restrict the agent to read-only tools if appropriate.
# Re-enable the workflow only after all safeguards are in place
gh workflow enable "github-minimum-intelligence-agent.yml"Objective: Restore normal operations and inform stakeholders.
Time target: Hours 2–48
# Verify no unexpected files remain
git status
find . -name '*.yml' -path '*/.github/workflows/*' -exec echo "Workflow: {}" \;
# Verify secrets are rotated
gh secret list| Audience | Channel | Content |
|---|---|---|
| Organization admins | Direct message / email | Full incident timeline, actions taken, remaining risks |
| Repository contributors | GitHub Issue (private repo) or direct contact | Summary of what happened, what was affected, what action they need to take |
| Downstream consumers | Advisory / release note | Whether shipped code was affected, recommended actions |
| LLM provider (Anthropic, etc.) | Support channel | Key rotation confirmation, request for usage audit |
| GitHub Support | Support ticket | If org-wide token abuse is suspected |
Create an incident record capturing:
- Timeline: When the incident was detected, contained, eradicated, and resolved.
- Root cause: How the compromise occurred (prompt injection, compromised account, etc.).
- Blast radius: Which repositories, secrets, and systems were affected.
- Actions taken: Every step performed during response.
- Lessons learned: What controls failed and what will be improved.
Objective: Prevent recurrence.
Time target: Days 1–7
- Conduct a post-incident review with all involved parties.
- Update the threat model in security-assessment.md with new attack vectors discovered.
- Implement additional monitoring (e.g., alerts on workflow file changes, unexpected branch creation).
- Review and tighten permissions across all organization repositories.
- Consider moving to a self-hosted runner with network restrictions and reduced privileges.
- Update this incident response plan with any new procedures identified.
- Share findings with the broader community to help others avoid similar incidents.
┌────────────────────────────────────────────────────────────────┐
│ INCIDENT RESPONSE — QUICK REFERENCE │
├────────────────────────────────────────────────────────────────┤
│ │
│ 1. STOP ACTIONS gh run cancel, gh workflow disable │
│ 2. TAKE CONTROL Rotate secrets, lock down access │
│ 3. DELETE FILES git rm, git revert, delete branches │
│ 4. AUDIT THE AGENT Diff workflow & lifecycle files │
│ 5. RECOVER Validate, notify, document │
│ 6. HARDEN Post-incident review, implement fixes │
│ │
│ Emergency: git revert <hash>, then think. │
│ │
└────────────────────────────────────────────────────────────────┘
This incident response plan is maintained under the principle of preserving integrity. Preparedness is not paranoia — it is a duty.