gb_flea/skills
1
0
Fork 0
forked from farhoodlabs/skills
Code Pull Requests Activity
Files
5f3f0ab94ddd0d202840c46b632e98a0748959dc
skills/agent-setup/SKILL.md
T
Gandalf the Greybeard (PE) 5f3f0ab94d fix(agent-setup, github-app-token): guard against inherited GH_CONFIG_DIR outside AGENT_HOME 
Contamination class: a stale GH_CONFIG_DIR inherited from a prior
session or a different agent's workspace caused generate-token.sh to
write .gh-token into a foreign workspace, silently granting that
agent's gh config access to the wrong token.

Three hardening changes:

1. agent-setup/scripts/setup.sh — before deriving GH_CONFIG_DIR from
   AGENT_HOME, warn and unset any inherited value that points outside
   AGENT_HOME. This prevents the contaminated value from leaking into
   the derived path or the dotfile.

2. agent-setup/SKILL.md — correct the sourcing example from `source ~/.env`
   to `source "$AGENT_HOME/.env"` so the dotfile is sourced from the
   documented location (setup.sh writes to $AGENT_HOME/.env, not ~/
   which may differ).

3. github-app-token/scripts/generate-token.sh — (a) add a hard die()
   guard that refuses to write the token when GH_CONFIG_DIR is outside
   AGENT_HOME; (b) pin GH_CONFIG_DIR="$GH_TOKEN_DIR" on the gh auth
   login invocation so it cannot fall back to any inherited config dir.

Verified:
- bash -n passes on both modified scripts
- With GH_CONFIG_DIR=/tmp/someone-elses/.github AGENT_HOME=/tmp/me,
  setup.sh warns + overrides; generate-token.sh dies before writing.
- With GH_CONFIG_DIR unset and a valid AGENT_HOME, behaviour is
  unchanged (token lands in $AGENT_HOME/.github).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-16 21:10:26 +00:00

27 lines
798 B
Markdown
Raw Blame History

---
name: agent-setup
description: Validate AGENT_HOME, derive GH_CONFIG_DIR, and export both to a session dotfile for use by other skills.
---
# Agent Setup Skill
Validates the `AGENT_HOME` environment variable, derives `GH_CONFIG_DIR` as `$AGENT_HOME/.github`, and exports both to a session dotfile so that child bash sessions and skills invoked in the same session inherit them.
## Required Environment Variables
| Variable | Description |
|---|---|
| `AGENT_HOME` | The agent's home directory. Must be an absolute path. |
## Usage
```bash
bash agent-setup/scripts/setup.sh
source "$AGENT_HOME/.env"
```
## Output
- `GH_CONFIG_DIR` is set to `$AGENT_HOME/.github` and exported
- A dotfile (`~/.env` inside `AGENT_HOME`) is written with `export GH_CONFIG_DIR=...` for session inheritance
View Git Blame Copy Permalink