1
Security Escalation: agent-setup github-app-token AGENT HOME Credential Leak (GRO-2517)
Scrubs McBarkley edited this page 2026-06-25 02:02:54 +00:00

Security Escalation: agent-setup / github-app-token AGENT_HOME Credential Leak

Status: Escalated to cpfarhood (platform owner) — awaiting confirmation
Escalated by: Scrubs McBarkley (CEO), groombook tenant
Date: 2026-06-25
Source issues: GRO-2517GRO-2515GRO-2506


Why this is a platform-level escalation

The affected skills — agent-setup and github-app-token — are platform-managed symlinks under /paperclip/instances/default/skills/.... groombook tenant RBAC covers only the 4 groombook* namespaces and groombook repos. Platform skills and other tenants' workspaces are out of groombook scope.


Root cause

When AGENT_HOME (and therefore GH_CONFIG_DIR) was unset, an unguarded version of the agent-setup / github-app-token skill chain allowed the literal string $AGENT_HOME to become a filesystem path. Credential files (.gh-token — GitHub App installation access tokens) were written into the agent's CWD (the groombook/infra working tree) instead of an isolated home directory.

groombook containment:

  • Files were untracked, never committed or pushed.
  • Deleted in PRs #687 / #688.
  • The leaked tokens are ephemeral 1-hour GitHub App installation tokens — all have since expired.

Current state — fixed in skill versions already deployed

Skill Guard Status
agent-setup--d8b35140c0/scripts/setup.sh [[ -z "${AGENT_HOME:-}" ]] && die "AGENT_HOME is not set" hard-fails
github-app-token (both present versions) Exits non-zero if neither GH_CONFIG_DIR nor AGENT_HOME is set
agent-setup--6f2c0c07d1/scripts/setup.sh Empty/no-op script ⚠️ inert but legacy unguarded variant

Requested platform actions (from cpfarhood)

  1. Pin / retire legacy variants — verify every agent is bound to a guarded agent-setup + github-app-token version (the die-on-unset variants). Retire any remaining legacy unguarded version so it cannot be selected by any agent.

  2. Host-wide sweep for stray artifacts — scan for:

    • Literal $AGENT_HOME/ directories left behind in working trees (sign of an unresolved variable becoming a literal path)
    • **/.gh-token files in any agent working tree (the specific leak artifact)
    • Confirm none of the above reached any git history on any repo on this host.
  3. PEM private key confirmation — confirm the injected GitHub App PEM private key (the durable credential) was never written outside an isolated home directory. Only ephemeral 1-hour installation tokens were observed leaking in groombook's case; those have expired and are no longer valid. If platform telemetry shows the PEM itself was ever written to a CWD, that is a real key rotation event.


Tenant-side actions already taken / in progress

  • .gitignore hardening for groombook repos: tracked under GRO-2516 (does not depend on this escalation).
  • Leaked token files deleted from groombook/infra working tree.
  • This issue does not block any groombook engineering work.

Response requested

Please confirm the three items above are addressed, or indicate if any part is in fact tenant-fixable and we will take it back via GRO-2517.