fix(mcp): harden stdio env filtering

[eleqtrizit]

Summary

Harden stdio MCP server environment filtering so configured child-process env drops inherited execution/config pivot variables consistently with OpenClaw host process hardening.

Changes

• Adds a dedicated MCP stdio env predicate that keeps existing always-dangerous host env blocking.
• Drops inherited child-process config pivots such as Ansible and Terraform config env keys before stdio MCP spawn.
• Preserves explicit MCP credential env keys, such as GITHUB_TOKEN, so configured authenticated MCP servers keep working.
• Documents the explicit credential allowlist maintenance contract so future policy additions keep credential keys separate from loader/search/config pivots.
• Expands resolveMcpTransportConfig coverage for the new dropped and preserved env behavior.

Validation

• node scripts/run-vitest.mjs src/agents/mcp-transport-config.test.ts -> 1 file passed, 9 tests passed.
• git diff --check -> passed.
• git diff origin/main...HEAD --check -> passed.
• .agents/skills/autoreview/scripts/autoreview --mode local -> clean, no accepted/actionable findings.
• Real MCP stdio proof with an isolated temporary config:
  • Command path: OPENCLAW_CONFIG_PATH=<temp>/openclaw.json OPENCLAW_TEST_FAST=1 corepack pnpm openclaw mcp add env-proof ... --no-probe, then OPENCLAW_CONFIG_PATH=<temp>/openclaw.json OPENCLAW_TEST_FAST=1 corepack pnpm openclaw mcp probe env-proof --json.
  • Probe result: connected successfully, listed env-proof__ping, diagnostics [].
  • Startup warnings: ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE were blocked for stdio startup safety.
  • Spawned child proof JSON: ANSIBLE_CONFIG_present=false, TF_CLI_CONFIG_FILE_present=false, GITHUB_TOKEN_present=true, HTTP_PROXY_present=true.

Notes

• Compatibility impact is intentional: configured stdio MCP env keys already classified as inherited child-process config pivots are now ignored with the existing startup-safety warning.
• Explicit credential env keys and allowed inherited operator env such as GITHUB_TOKEN and HTTP_PROXY continue to pass.
• Refs NVIDIA tracking issue: https://github.com/NVIDIA-dev/openclaw-tracking/issues/745

[clawsweeper]

Codex review: needs changes before merge. Reviewed June 9, 2026, 5:04 PM ET / 21:04 UTC.

Summary
The PR hardens MCP stdio environment filtering to drop inherited child-process config-pivot variables while preserving selected explicit credential and operator env keys.

PR surface: Source +36, Tests +9. Total +45 across 2 files.

Reproducibility: yes. from source: current main only calls isDangerousHostEnvVarName for MCP stdio env, while ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE are only dangerous through isDangerousHostInheritedEnvVarName. I did not run the live MCP proof locally because this review is read-only, but the contributor's terminal proof matches the inspected code path.

Review metrics: 1 noteworthy metric.

• Configured env behavior: 1 documented config surface changed. The patch changes which keys survive under stdio MCP server env config, so upgrade and docs evidence matter before merge.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Update the MCP stdio env safety docs for inherited child-process config pivots.
• [P2] Get explicit maintainer acceptance of the compatibility tradeoff before merge.

Risk before merge

• [P1] Existing stdio MCP configs that intentionally set inherited child-process config-pivot env keys will stop passing those values to the child process after merge; contributor comments accept this, but the protected maintainer label means a maintainer-owned compatibility decision is still needed.
• [P1] The public MCP docs on the PR head still omit the newly blocked inherited config-pivot class, so operators would not see the upgrade behavior before their configured env keys are ignored.

Maintainer options:

1. Document and approve the hardening tradeoff (recommended)
   Update the public MCP stdio env safety docs for inherited config pivots, then have a maintainer explicitly accept the existing-config break before merge.
2. Preserve compatibility by default
   If maintainers do not want existing configured pivot env keys to stop working, redesign this as a compatibility-preserving default plus an explicit strict hardening path.

Next step before merge

• [P2] A narrow docs repair is automatable, but merge still needs human maintainer acceptance for the compatibility tradeoff.

Security
Cleared: The diff tightens stdio child-process env filtering and does not add dependency, workflow, package, or secret-handling supply-chain changes.

Review findings

• [P1] Gate the env break on maintainer approval — src/agents/mcp-config-shared.ts:102
• [P2] Document the expanded stdio env filter — src/agents/mcp-config-shared.ts:102

Review details

Best possible solution:

Land the hardening after docs describe the expanded blocked-key class and a maintainer explicitly accepts the compatibility tradeoff for existing stdio MCP configs.

Do we have a high-confidence way to reproduce the issue?

Yes from source: current main only calls isDangerousHostEnvVarName for MCP stdio env, while ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE are only dangerous through isDangerousHostInheritedEnvVarName. I did not run the live MCP proof locally because this review is read-only, but the contributor's terminal proof matches the inspected code path.

Is this the best way to solve the issue?

No, not as submitted: the code path is a plausible and well-scoped hardening fix, but the best merge-ready solution also updates the public MCP docs and records maintainer acceptance of the compatibility tradeoff.

Full review comments:

• [P1] Gate the env break on maintainer approval — src/agents/mcp-config-shared.ts:102
  Switching the stdio MCP filter to inherited-dangerous env keys means existing mcp.servers.*.env entries such as ANSIBLE_CONFIG or TF_CLI_CONFIG_FILE will be ignored after merge. The PR author has described that tradeoff, but repo policy treats config/env behavior as compatibility-sensitive and the PR has the protected maintainer label, so this needs explicit maintainer acceptance or a compatibility-preserving design before merge.
  Confidence: 0.88
• [P2] Document the expanded stdio env filter — src/agents/mcp-config-shared.ts:102
  This same filtering change expands the documented mcp.servers.*.env behavior, but the public MCP docs on the PR head still describe only interpreter-startup keys and do not mention inherited child-process config pivots like ANSIBLE_CONFIG or TF_CLI_CONFIG_FILE. Please update docs/cli/mcp.md so operators can see which configured keys are now ignored and why.
  Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 21410d1c3247.

Label changes

Label justifications:

• P2: The PR is a bounded MCP hardening fix with normal priority and limited blast radius.
• merge-risk: 🚨 compatibility: Existing stdio MCP configs that intentionally set inherited config-pivot env keys will stop passing those keys after merge.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (terminal): The contributor provided after-fix real stdio MCP proof using an isolated config and a spawned child process that showed blocked pivots absent and configured credential/proxy keys present.
• proof: sufficient: Contributor real behavior proof is sufficient. The contributor provided after-fix real stdio MCP proof using an isolated config and a spawned child process that showed blocked pivots absent and configured credential/proxy keys present.

Evidence reviewed

PR surface:

Source +36, Tests +9. Total +45 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	38	2	+36
Tests	1	11	2	+9
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	49	4	+45

Acceptance criteria:

• [P1] git diff --check.
• [P1] git diff origin/main...HEAD --check.

What I checked:

• Repository policy applied: Root policy and scoped src/agents/docs guidance were read; root policy treats config/env behavior changes as compatibility-sensitive and docs guidance applies to the missing public MCP documentation. (AGENTS.md:1, 21410d1c3247)
• Current main MCP env behavior: Current main only drops keys matched by isDangerousHostEnvVarName for MCP stdio env, so inherited-only pivots such as ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE are not blocked by this path today. (src/agents/mcp-config-shared.ts:66, 21410d1c3247)
• Inherited env policy contract: Host env policy marks ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE as inherited-dangerous, and tests assert they are not always-dangerous but are dangerous when inherited. (src/infra/host-env-security-policy.json:224, 21410d1c3247)
• PR changes the env predicate: The PR adds an MCP stdio-specific predicate that preserves selected explicit credentials, then applies isDangerousHostInheritedEnvVarName to other keys before stdio spawn config is returned. (src/agents/mcp-config-shared.ts:102, c440454b5b6d)
• PR test coverage: The updated focused test covers ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE being dropped while GITHUB_TOKEN and HTTP_PROXY remain present in resolved stdio env. (src/agents/mcp-transport-config.test.ts:51, c440454b5b6d)
• Docs gap on PR head: On the PR head, the MCP stdio docs still describe interpreter-startup env keys only; a PR-head grep finds ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE in tests/policy but not in docs. Public docs: docs/cli/mcp.md. (docs/cli/mcp.md:676, c440454b5b6d)

Likely related people:

• pgondhi987: Authored and merged the recent host-env denylist and git-protocol env-control hardening that defines the policy this PR is extending into MCP stdio env handling. (role: recent host-env security contributor; confidence: high; commits: 9f413acc183d, 86bab9699d0d; files: src/infra/host-env-security-policy.json, src/infra/host-env-security.ts, src/infra/host-env-security.test.ts)
• Peter Steinberger: Recent history shows MCP config documentation refresh work in docs/cli/mcp.md, which is the public doc surface that still needs this PR's expanded env-filter behavior. (role: recent MCP docs contributor; confidence: medium; commits: 6067fe59d821, 1d1c52e6e6c9; files: docs/cli/mcp.md)
• vincentkoc: Merged the bot-authored baseline commit that introduced the current MCP config helper files and has recent MCP documentation history near this surface. (role: baseline merger and adjacent docs contributor; confidence: low; commits: e949809f6e3b, c42659176a56, 22ffe7b1debd; files: src/agents/mcp-config-shared.ts, src/agents/mcp-stdio.ts, src/agents/mcp-transport-config.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[eleqtrizit]

Behavioral Proof

Real MCP stdio launch proof on PR head c440454b5b6d71786fea579fde3e0010db948b95 using an isolated temporary OPENCLAW_CONFIG_PATH. The proof server was a real spawned stdio MCP child process; it wrote its own process.env snapshot during tools/list.

Command path run:

OPENCLAW_CONFIG_PATH=<temp>/openclaw.json OPENCLAW_TEST_FAST=1 corepack pnpm openclaw mcp add env-proof \
  --command node \
  --arg=-e \
  --arg '<inline stdio MCP server that writes child process.env proof JSON>' \
  --arg <temp>/proof-output.json \
  --env ANSIBLE_CONFIG=/tmp/evil-ansible.cfg \
  --env TF_CLI_CONFIG_FILE=/tmp/evil-terraform.rc \
  --env GITHUB_TOKEN=<redacted dummy credential> \
  --env HTTP_PROXY=http://proxy.invalid:8080 \
  --no-probe

OPENCLAW_CONFIG_PATH=<temp>/openclaw.json OPENCLAW_TEST_FAST=1 corepack pnpm openclaw mcp probe env-proof --json

Observed OpenClaw startup-safety output from the real probe:

[bundle-mcp] server "env-proof": env "ANSIBLE_CONFIG" is blocked for stdio startup safety and was ignored.
[bundle-mcp] server "env-proof": env "TF_CLI_CONFIG_FILE" is blocked for stdio startup safety and was ignored.

Observed MCP probe result:

{
  "servers": {
    "env-proof": {
      "tools": 1,
      "requestTimeoutMs": 60000
    }
  },
  "tools": ["env-proof__ping"],
  "diagnostics": []
}

Observed child-process proof JSON, written by the spawned stdio MCP server itself:

{
  "keys": {
    "ANSIBLE_CONFIG": {
      "present": false,
      "value": null
    },
    "TF_CLI_CONFIG_FILE": {
      "present": false,
      "value": null
    },
    "GITHUB_TOKEN": {
      "present": true,
      "matchesConfigured": true,
      "value": "<redacted>"
    },
    "HTTP_PROXY": {
      "present": true,
      "matchesConfigured": true,
      "value": "<redacted>"
    }
  }
}

This proves the requested real behavior after OpenClaw config save, MCP transport normalization, SDK default env merge, and stdio spawn(...): inherited child-process config pivots ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE do not reach the child, while an explicit configured credential (GITHUB_TOKEN) still reaches the child.

Compatibility tradeoff: accepted for this hardening PR. Stdio MCP configs that intentionally set inherited child-process config-pivot env keys such as ANSIBLE_CONFIG or TF_CLI_CONFIG_FILE will now have those keys ignored with startup-safety warnings. Explicit credentials and allowed operator env such as GITHUB_TOKEN and HTTP_PROXY continue to pass.

Additional fresh validation:

node scripts/run-vitest.mjs src/agents/mcp-transport-config.test.ts
[test] passed 1 Vitest shard in 3.54s; 1 file passed, 9 tests passed

git diff --check
passed

git diff upstream/main...HEAD --check
passed

[eleqtrizit]

Relevance

This PR addresses a verified security hardening gap where MCP stdio child-process environment filtering was less restrictive than OpenClaw's established inherited child-process execution policy. Three independent relevance checks confirmed the gap: toMcpEnvRecord() only called isDangerousHostEnvVarName() (checking always-dangerous vars like NODE_OPTIONS, LD_PRELOAD, BASH_ENV) but did not call isDangerousHostInheritedEnvVarName() (checking inherited-dangerous vars like ANSIBLE_CONFIG, TF_CLI_CONFIG_FILE). The fix aligns MCP stdio env filtering with the existing sanitizeHostInheritedEnvEntry() policy.

Compatibility

A dedicated compatibility check confirmed no exported symbols, type shapes, import paths, CLI commands/flags, gateway protocol messages, plugin SDK surfaces, or config schemas are removed or renamed. The only runtime change is intentional security hardening: configured stdio MCP env keys already classified as dangerous for inherited child-process execution are now dropped before MCP stdio child process launch. Explicit credential env keys (GITHUB_TOKEN, DATABASE_URL, AWS_ACCESS_KEY_ID, etc.) and allowed inherited operator env (HTTP_PROXY, SSH_AUTH_SOCK, HOME, etc.) continue to pass through. The compatibility tradeoff is accepted — these keys already violate the inherited child-process execution policy this PR now applies consistently.

ClawSweeper

ClawSweeper review confirmed the patch quality is sound (platinum hermit) and cleared security/supply-chain concerns. The two blocking items — missing real behavior proof and unconfirmed compatibility tradeoff — have been resolved. Real MCP stdio behavioral proof was produced using an isolated temp config and a live spawned MCP child process, demonstrating that ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE are dropped while GITHUB_TOKEN and HTTP_PROXY remain present. The compatibility tradeoff is explicitly accepted.

Code Reviews Completed

Multiple independent code reviews were conducted, all converging on the same verdict: the fix is correct, well-scoped, and necessary. The sole actionable concern — a hardcoded credential allowlist without a maintenance contract — was addressed with an inline comment documenting the purpose, what to add, what not to add, and how to keep it in sync with the policy JSON.

---

All Checks Completed

Check	Status
Unit tests (mcp-transport-config)	9/9 passed
Real MCP stdio behavioral proof	Verified — blocked keys absent, credential keys present
Compatibility analysis	No exported surface changed; intentional hardening only
CI checks	All passing (lint, types, security, CodeQL, build artifacts)
Import boundary checks	Clean (src, SDK, test helpers)
Git diff whitespace check	Clean
Autoreview	No accepted/actionable findings
Code review — fix correctness	Fix targets right function, reuses existing policy
Code review — credential allowlist	Maintenance contract documented inline
Code review — test coverage	Validates both dropped and preserved behaviors
Security review	Correctly identifies and fixes a genuine hardening gap
Patch quality (ClawSweeper)	Platinum hermit — implementation is sound
Maintainer compatibility acceptance	Compatibility tradeoff accepted

[eleqtrizit]

@clawsweeper re-review

Docs have been updated for the stdio env safety filter to cover child-process config pivots such as ANSIBLE_CONFIG and TF_CLI_CONFIG_FILE, and the compatibility tradeoff is accepted for this hardening change.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[eleqtrizit]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27235226343
• Updated: 2026-06-09T21:05:14.538Z