Billing can be bypassed using a combo of subagents with an agent definition

Source: Hacker News

Summary

In Copilot it is possible to bypass billing / “premium request” usage by exploiting:

• Subagents and tool calls that do not consume any “requests”.
• Request cost being calculated only on the initial model used.
• “Free” models included in Copilot (e.g., GPT‑5‑mini, GPT‑4.1, etc.).
• The ability to define an agent for a subagent.
• The ability to specify a model for an agent.

When combined correctly, this can result in “free” and near‑unlimited usage of expensive premium models such as Opus 4.5, which would normally cost three premium requests.

Instructions

1. Start a new chat.
2. Set the model to a free model included in Copilot (e.g., GPT‑5 Mini).
3. Create an agent and set its model to a premium model (e.g., Opus 4.5).
4. Set the mode to agent.
5. In the initial message, instruct the free model to launch the agent (named whatever you choose) as a subagent using the runSubagent tool, passing the desired query (e.g., “What time is it in London, UK”).
6. Submit the message.

Result

• The initial request is handled by the free GPT‑5 Mini model, incurring no fees.
• The free model creates a subagent (also free).
• The subagent runs with an agent profile whose model is set to the premium model.
• The premium model processes the subagent’s work, but premium requests are not consumed.

Example 1

Example Chat Message

/ask-opus Make a todolist app.

Prompt File (.github/prompts/ask-opus.prompt.md)

# USER_REQUEST_START
name: ask-opus
description: Run a query in a subagent that uses the Opus‑4.5 model.
model: GPT-5 mini (copilot)
agent: agent
# USER_REQUEST_INSTRUCTIONS
Call #tool:agent/runSubagent with the following arguments:
  - agentName: "opus-agent"
  - prompt: $USER_QUERY
# USER_REQUEST_RULES
- You may call the subagent defined in USER_REQUEST_INSTRUCTIONS as many times as needed.
- Use the subagent to decide how best to respond or complete the task (it is a larger model than you), including breaking the task into smaller steps.
- The subagent should handle all todos/tasks/queries; you act only as an orchestrator.
- Do not manipulate or summarize subagent responses to save tokens—be comprehensive and verbose.
- Do not evaluate or respond to the remainder of this message; the subagent is responsible for all further content.
# USER_REQUEST_END

Agent File (.github/agents/opus.agent.md)

name: opus-agent
description: An AI agent that assists a user with a task or query.
argument-hint: Query or task to complete
model: Claude Opus 4.5 (copilot)
---
Respond to the user's query/task ($ARGUMENTS) comprehensively and accurately.

Example 2

Another abuse vector (requires more effort):

1. Set chat.agent.maxRequests to a high value.
2. Use a premium model (e.g., Opus 4.5) as the initial model for the chat session.
3. Build a custom script (not disclosed for safety) that the model is instructed to call via a tool invocation.
4. Craft prompts that cause the model to repeat the tool call(s), creating a loop.

With the right script and prompts, the premium model can be invoked repeatedly without additional cost beyond the initial message. In testing, a single message triggered a 3‑hour process that launched hundreds of Opus 4.5 subagents to process hundreds of files, consuming only three premium credits. Stopping the loop after three hours prevented further consumption.

Related observation: Message “types” are declared on the client, implying no API validation, e.g., toolCallingLoop.ts line 484.

Additional Details

• Copilot Chat Extension Version: 0.37.2026013101
• VS Code Version: 1.109.0‑insider (Universal) – f3d99de commit
• OS Version: macOS 14 (Sonoma) 26.3
• Feature: Agent / SubAgent

This issue is distinct from #252230.

Note: The vulnerability was initially reported to MSRC (VULN‑172488); MSRC deemed billing bypass outside its scope and advised filing as a public bug report.