comment-shield v1.0

Comment-and-Control Exposure Index

A single PR title or issue comment can hijack Claude Code, Gemini CLI, and GitHub Copilot Agent — the April 2026 Aonan Guan disclosure showed how. No CVEs were ever assigned, no public advisories were published. This dashboard finds which public repos are still exposed, runs the actual grader against the actual workflow YAML, and shows the diff to fix it.

repos scanned
% grade D or F
in scan queue
last scan

Affected vendors

Anthropic · Claude Code
scanned:
grade D+F:
Google · Gemini CLI
scanned:
grade D+F:
GitHub · Copilot Agent
scanned:
grade D+F:

Scan a repo

Paste any public GitHub repo URL. We fetch its workflows, grade them against the Comment-and-Control conditions, and return a per-file score in < 30s.

Grade distribution by vendor

Scanned repos

Repo Grade Score Vendor Stars Workflow Last scanned
loading…

Public disclosure timeline

loading…