If I understand the "attack" correctly, what is going on here is that a user is tricked into creating a PR that includes sensitive information? Is this any different than accidentally copy-pasting sensitive information into a PR or an email and sending that out?
I interpreted this as, if you have any public repos, you let people prompt inject Claude (or any LLM using this MCP) when it reads public issues on those repos and since it can read all your private repos the prompt injection can ask for information from those.
No, you make an issue on a public repo asking for information about your private repos, and the bot making a PR (which has access to your private repos) will "helpfully" make a PR adding the private repo information to the public repo.