The authors introduce JAW, the first framework to detect and exploit vulnerabilities in agentic workflows (like GitHub Actions and n8n) by hijacking LLM agents via adversarially crafted inputs (e.g., GitHub issue comments). Their novel Context-Grounded Evolution approach evolves inputs under contexts derived from hybrid program analysis: static path-feasibility analysis (identifying feasible agent-invocation paths), dynamic prompt-provenance analysis (tracking how inputs are embedded into LLM context), and capability analysis (identifying agent actions and restrictions). They show 4,714 GitHub workflows and 8 n8n templates can be hijacked for credential exfiltration and arbitrary command execution.
Main takeaways:
- Agentic workflows integrate LLMs into automation platforms (GitHub Actions, n8n), exposing a new attack surface: adversaries can craft inputs (e.g., issue comments) to manipulate the LLM agent.
- JAW uses Context-Grounded Evolution, which evolves agentic workflow inputs under contexts derived from three analyses: static path-feasibility, dynamic prompt-provenance, and capability analysis.
- Static path-feasibility analysis identifies feasible agent-invocation paths and the input constraints needed to trigger them.
- Dynamic prompt-provenance analysis tracks how adversarial input is transformed and embedded into the LLM's context window.
- Evaluation shows 4,714 GitHub workflows and 8 n8n templates can be hijacked, including official Actions for Claude Code, Gemini CLI, Qwen CLI, and Cursor CLI.