diff --git a/agent-setup/SKILL.md b/agent-setup/SKILL.md
index faeffbd..dcf125e 100644
--- a/agent-setup/SKILL.md
+++ b/agent-setup/SKILL.md
@@ -17,7 +17,7 @@ Validates the `AGENT_HOME` environment variable, derives `GH_CONFIG_DIR` as `$AG
 
 ```bash
 bash agent-setup/scripts/setup.sh
-source ~/.env
+source "$AGENT_HOME/.env"
 ```
 
 ## Output
diff --git a/agent-setup/scripts/setup.sh b/agent-setup/scripts/setup.sh
index b73a550..702b1c0 100755
--- a/agent-setup/scripts/setup.sh
+++ b/agent-setup/scripts/setup.sh
@@ -5,6 +5,12 @@ die() { echo "ERROR: $*" >&2; exit 1; }
 
 [[ -z "${AGENT_HOME:-}" ]] && die "AGENT_HOME is not set"
 
+# Validate: never accept an inherited GH_CONFIG_DIR that points outside AGENT_HOME
+if [[ -n "${GH_CONFIG_DIR:-}" && "$GH_CONFIG_DIR" != "$AGENT_HOME"* ]]; then
+  echo "WARN: Inherited GH_CONFIG_DIR '$GH_CONFIG_DIR' is outside AGENT_HOME. Overriding." >&2
+  unset GH_CONFIG_DIR
+fi
+
 # Derive GH_CONFIG_DIR — gh stores config at ~/.config/gh by default,
 # so we mirror that structure under AGENT_HOME
 export GH_CONFIG_DIR="$AGENT_HOME/.github"
diff --git a/github-app-token/scripts/generate-token.sh b/github-app-token/scripts/generate-token.sh
index 68b21d1..e31e1be 100755
--- a/github-app-token/scripts/generate-token.sh
+++ b/github-app-token/scripts/generate-token.sh
@@ -64,10 +64,15 @@ fi
 mkdir -p "$GH_TOKEN_DIR"
 GH_TOKEN_FILE="$GH_TOKEN_DIR/.gh-token"
 
+# Validate GH_CONFIG_DIR is inside AGENT_HOME (prevents writing the token to a foreign workspace)
+if [[ -n "${GH_CONFIG_DIR:-}" && -n "${AGENT_HOME:-}" && "$GH_CONFIG_DIR" != "$AGENT_HOME"* ]]; then
+  die "GH_CONFIG_DIR '$GH_CONFIG_DIR' is outside AGENT_HOME '${AGENT_HOME}'. Refusing to write token to a foreign workspace."
+fi
+
 printf '%s' "$TOKEN" > "$GH_TOKEN_FILE"
 chmod 600 "$GH_TOKEN_FILE"
 
 # --- Authenticate gh CLI ---
-gh auth login --with-token < "$GH_TOKEN_FILE"
+GH_CONFIG_DIR="$GH_TOKEN_DIR" gh auth login --with-token < "$GH_TOKEN_FILE"
 
 echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)."