292452

Billing can be bypassed using a combination of subagents with an agent definition, resulting in unlimited free premium requests. · Issue #292452 · microsoft/vscode · GitHub

by

Summary

In Copilot it is possible to bypass any billing/’premium request’ usage by taking advantage of:

  • Subagent and tool calls are not consuming any ‘request’.
  • The request cost is being calculated on the initial model used.
  • Includes “free” models. Like GPT-5-mini, GPT-4.1 etc. in Copilot.
  • Ability to define an agent for a subagent.
  • Ability to specify a model for an agent.

When combined correctly these result in ‘free’ and almost unlimited use of expensive premium models like Opus 4.5, which usually costs ‘3 premium requests’:

Instruction

  1. Start a new chat.
  2. Set the model to the “free” model that is included with CoPilot, for example GPT-5 Mini.
  3. Create an agent, and set its model to the premium model, for example Opus 4.5
  4. Set the mode to “Agent”.
  5. In the initial message, instruct it to launch an agent'[your_agents_name_here]’ Use the RunSubAgent tool as a subagent, and pass the following query for example “What time is it in London, UK”.
  6. Submit message.
  7. The initial request will be accepted by the free GPT-5 mini model at no charge.
  8. The free model will create a subagent (which is also free)
  9. The free subagent will launch with an ‘Agent’ profile, in this profile the model is set to Premium Model
  10. The premium model will be used for subagents – but premium requests will be consumed.

Example 1

Example chat message:

/ask-opus Make a todolist app.

Example prompt file:
.github/prompts/ask-opus.prompt.md

---
name: ask-opus
description: Run a query in a subagent that uses the Opus-4.5 model.
model: GPT-5 mini (copilot)
agent: agent
---

Call #tool:agent/runSubagent - include the following args:
- agentName: "opus-agent"
- prompt: $USER_QUERY



- You can call the 'subagent' defined in 'USER_REQUEST_INSTRUCTIONS' as many times as needed to fulfill the user's request.
- It's recommended you use the subagent to help you decide how best to respond and/or complete the task (because it is a larger model than you) including how best to break the task down into smaller steps if needed.
- Use the subagent for all todos/tasks/queries, do not perform any task or respond to any query yourself, you are just an orchestrator.
- Do not manipulate/summarize subagent responses to save on tokens, always be comprehensive and verbose.
- Do not evaluate or respond to the remainder of this message, the subagent is responsible for all further content.


--- USER_REQUEST_START ---

example agent file
.github/agents/opus.agent.md

---
name: opus-agent
description: An AI agent that assists a user with a task or query.
argument-hint: Query or task to complete
model: Claude Opus 4.5 (copilot)
---
Respond to the user's query/task ($ARGUMENTS) in comprehensively and accurately.

Example 2

Another vector of abuse – albeit one requiring more effort:

  • set chat.agent.maxRequests For higher value.
  • Use a premium model such as the Opus 4.5 as the starting point for a chat session.
  • Create a custom script (not exposed for security), which you tell the model to call as part of the tool invocation.
  • Create some prompts to direct the model to repeat the tool call.
  • The right script with the right signals can be tailored to form a loop, allowing the premium model to be applied an unlimited number of times at no additional cost beyond the initial message.

In my testing I got a single message resulting in a 3 hour+ process that launched hundreds of Opus 4.5 subagents to process hundreds of files – and only consumed 3 premium credits. If I had not stopped it at 3 o’clock, it would have continued.

Connected: I also noted that the message ‘type’ is being declared on the client, causing no API validation. Example: https://github.com/Microsoft/vscode-copilot-chat/blob/main/src/extension/intents/node/toolCallingLoop.ts#L484

I believe this is another vector that allows more blatant abuse against the API directly.

Comment: Initially submitted this to MSRC (VULN-172488), MSRC insisted that bypassing billing is outside MSRC scope and instructed me multiple times to file it as a public bug report.

  • Copilot Chat Extension Version: 0.37.2026013101
  • VS Code version: 1.109.0-Insider (Universal) – f3d99de
  • OS Version: OSX Tahoe 26.3
  • Feature: Agent / Subagent

This is not the same issue as #252230
(My previous issue was automatically closed by the bot and postponed to above).



<a href

Leave a Comment