diff --git a/github-app-token/SKILL.md b/github-app-token/SKILL.md
index 52d4528..d573cbe 100644
--- a/github-app-token/SKILL.md
+++ b/github-app-token/SKILL.md
@@ -23,4 +23,6 @@ bash github-app-token/scripts/generate-token.sh
 
 The script validates env vars, generates a JWT, exchanges it for an installation token, writes the token to `$AGENT_HOME/.gh-token`, and runs `gh auth login`. On success it prints a confirmation line. On failure it exits non-zero with a descriptive error.
 
+The script sets and exports `GH_CONFIG_DIR=$AGENT_HOME/.config/gh` so each agent's `gh` state is isolated from every other agent on the same host. After sourcing or calling the script, subsequent `gh` commands in the same shell session will automatically use that isolated config. If you spawn a subprocess, export `GH_CONFIG_DIR` before calling `gh`.
+
 Requires `openssl`, `curl`, `jq`, and `gh`.
diff --git a/github-app-token/scripts/generate-token.sh b/github-app-token/scripts/generate-token.sh
index 0b30761..fa53084 100755
--- a/github-app-token/scripts/generate-token.sh
+++ b/github-app-token/scripts/generate-token.sh
@@ -41,7 +41,12 @@ GH_TOKEN_FILE="${GH_TOKEN_FILE:-$(mktemp)}"
 printf '%s' "$TOKEN" > "$GH_TOKEN_FILE"
 chmod 600 "$GH_TOKEN_FILE"
 
-# --- Authenticate gh CLI ---
+# --- Authenticate gh CLI with per-agent config isolation ---
+# Each agent gets its own GH_CONFIG_DIR so tokens never bleed across agents.
+export GH_CONFIG_DIR="${AGENT_HOME:+${AGENT_HOME}/.config/gh}"
+GH_CONFIG_DIR="${GH_CONFIG_DIR:-$(mktemp -d)}"
+mkdir -p "$GH_CONFIG_DIR"
+
 gh auth login --with-token < "$GH_TOKEN_FILE"
 
-echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)."
+echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour). GH_CONFIG_DIR=$GH_CONFIG_DIR"