Summary
The execute_code sandbox currently forwards a broad set of host environment variables using a substring blocklist plus safe prefixes. This misses common secret naming patterns such as DATABASE_URL, SLACK_WEBHOOK, AWS_ACCESS_ID, and SENTRY_DSN. In addition, Python code running inside execute_code can call the generated terminal() helper, and that path should be guarded consistently before dispatching terminal commands.
Impact
A prompt or remote gateway message that causes the model to invoke execute_code can expose credentials from the parent environment to the child process. If the child uses terminal(), dangerous commands may be dispatched without an approval check at the execute-code RPC boundary.
Affected area
tools/code_execution_tool.py::_scrub_child_envtools/code_execution_tool.py::_rpc_server_loop terminal dispatch
Suggested fix
- Convert execute-code child environment construction to an explicit safe allowlist, keeping skill/config passthrough for variables that are intentionally exposed.
- Remove broad
HERMES_ passthrough from default safe prefixes.
- Expand secret-name coverage for common patterns such as DSNs, webhooks, database URLs, and access IDs.
- Run terminal approval guards before dispatching sandbox
terminal() calls.
- Add regression tests for environment scrubbing and terminal guard behavior.
Summary
The
execute_codesandbox currently forwards a broad set of host environment variables using a substring blocklist plus safe prefixes. This misses common secret naming patterns such asDATABASE_URL,SLACK_WEBHOOK,AWS_ACCESS_ID, andSENTRY_DSN. In addition, Python code running insideexecute_codecan call the generatedterminal()helper, and that path should be guarded consistently before dispatching terminal commands.Impact
A prompt or remote gateway message that causes the model to invoke
execute_codecan expose credentials from the parent environment to the child process. If the child usesterminal(), dangerous commands may be dispatched without an approval check at the execute-code RPC boundary.Affected area
tools/code_execution_tool.py::_scrub_child_envtools/code_execution_tool.py::_rpc_server_loopterminal dispatchSuggested fix
HERMES_passthrough from default safe prefixes.terminal()calls.