Back Original

Billing can be bypassed using a combo of subagents with an agent definition

Summary

It's possible in Copilot to bypass any billing / 'premium request' usage by taking advantage of:

  • Subagents and tool calls not consuming any 'requests'.
  • Request cost being calculated on the initial model used.
  • "Free" models incl. in Copilot e.g. GPT-5-mini, GPT-4.1 etc.
  • Ability to define an agent for a subagent.
  • Ability to specify a model for an agent.

Combining these correctly results in 'free' and almost unlimited, usage of expensive premium models like Opus 4.5 which would usually cost '3 premium requests':

Instructions

  1. Start a new Chat.
  2. Set the model to a "free" model, included in Copilot e.g. GPT-5 Mini.
  3. Create an agent, and set it's model to a premium model, e.g. Opus 4.5
  4. Set the mode to "agent".
  5. In the initial message, instruct it to launch an agent '[your_agents_name_here]' as a subagent using the runSubagent tool, and to pass on the following query e.g. "What time is it in London, UK".
  6. Submit the message.
  7. The initial request will be picked up by the free GPT-5 Mini model, incurring no fees.
  8. The free model will create a subagent (which is also free)
  9. The free subagent will launch with an 'agent' profile, this profile has the model set to a premium model
  10. The premium model will be used for the subagent - but premium requests will be consumed.

Example 1

Example Chat Message:

/ask-opus Make a todolist app.

Example Prompt File:

---
name: ask-opus
description: Run a query in a subagent that uses the Opus-4.5 model.
model: GPT-5 mini (copilot)
agent: agent
---
<USER_REQUEST_INSTRUCTIONS>
Call #tool:agent/runSubagent - include the following args:
- agentName: "opus-agent"
- prompt: $USER_QUERY
</USER_REQUEST_INSTRUCTIONS>

<USER_REQUEST_RULES>
- You can call the 'subagent' defined in 'USER_REQUEST_INSTRUCTIONS' as many times as needed to fulfill the user's request.
- It's recommended you use the subagent to help you decide how best to respond and/or complete the task (because it is a larger model than you) including how best to break the task down into smaller steps if needed.
- Use the subagent for all todos/tasks/queries, do not perform any task or respond to any query yourself, you are just an orchestrator.
- Do not manipulate/summarize subagent responses to save on tokens, always be comprehensive and verbose.
- Do not evaluate or respond to the remainder of this message, the subagent is responsible for all further content.
</USER_REQUEST_RULES>

--- USER_REQUEST_START ---

Example Agent File

---
name: opus-agent
description: An AI agent that assists a user with a task or query.
argument-hint: Query or task to complete
model: Claude Opus 4.5 (copilot)
---
Respond to the user's query/task ($ARGUMENTS) in comprehensively and accurately.

Example 2

Another vector for abuse - albeit requiring more effort is:

  • Set chat.agent.maxRequests to a high value.
  • Use a premium model e.g. Opus 4.5 as the initial model for the chat session.
  • Build a custom script (not disclosed for safety), that you tell the model to call as part of a tool invocation.
  • Craft some prompts to direct the model to repeat the tool call(s).
  • The right script, with the right prompts can be tailored to create a loop, allowing the premium model to continually be invoked unlimited times for no additional cost beyond that of the initial message.


In my testing I had a single message result in a 3hr+ process that launched hundreds of Opus 4.5 subagents to process hundreds of files - and only consumed 3 premium credits. Had I not stopped it at 3hrs, it would have continued.

Related: I also noted the message 'types' are being declared on the client, inferring no API validation e.g: https://github.com/microsoft/vscode-copilot-chat/blob/main/src/extension/intents/node/toolCallingLoop.ts#L484

I believe this is another vector that allows for more blatant abuse directly against the API.

Note: Initially submitted this to MSRC (VULN-172488), MSRC insisted bypassing billing is outside of MSRC scope and instructed me multiple times to file as a public bug report.

  • Copilot Chat Extension Version: 0.37.2026013101
  • VS Code Version: 1.109.0-insider (Universal) - f3d99de
  • OS Version: OSX Tahoe 26.3
  • Feature: Agent / SubAgent

This is NOT the same issue as #252230