Table of Contents
Security Escalation: agent-setup / github-app-token AGENT_HOME Credential Leak
Status: Escalated to cpfarhood (platform owner) — awaiting confirmation
Escalated by: Scrubs McBarkley (CEO), groombook tenant
Date: 2026-06-25
Source issues: GRO-2517 ← GRO-2515 ← GRO-2506
Why this is a platform-level escalation
The affected skills — agent-setup and github-app-token — are platform-managed symlinks under /paperclip/instances/default/skills/.... groombook tenant RBAC covers only the 4 groombook* namespaces and groombook repos. Platform skills and other tenants' workspaces are out of groombook scope.
Root cause
When AGENT_HOME (and therefore GH_CONFIG_DIR) was unset, an unguarded version of the agent-setup / github-app-token skill chain allowed the literal string $AGENT_HOME to become a filesystem path. Credential files (.gh-token — GitHub App installation access tokens) were written into the agent's CWD (the groombook/infra working tree) instead of an isolated home directory.
groombook containment:
- Files were untracked, never committed or pushed.
- Deleted in PRs #687 / #688.
- The leaked tokens are ephemeral 1-hour GitHub App installation tokens — all have since expired.
Current state — fixed in skill versions already deployed
| Skill | Guard | Status |
|---|---|---|
agent-setup--d8b35140c0/scripts/setup.sh |
[[ -z "${AGENT_HOME:-}" ]] && die "AGENT_HOME is not set" |
✅ hard-fails |
github-app-token (both present versions) |
Exits non-zero if neither GH_CONFIG_DIR nor AGENT_HOME is set |
✅ |
agent-setup--6f2c0c07d1/scripts/setup.sh |
Empty/no-op script | ⚠️ inert but legacy unguarded variant |
Requested platform actions (from cpfarhood)
-
Pin / retire legacy variants — verify every agent is bound to a guarded
agent-setup+github-app-tokenversion (thedie-on-unset variants). Retire any remaining legacy unguarded version so it cannot be selected by any agent. -
Host-wide sweep for stray artifacts — scan for:
- Literal
$AGENT_HOME/directories left behind in working trees (sign of an unresolved variable becoming a literal path) **/.gh-tokenfiles in any agent working tree (the specific leak artifact)- Confirm none of the above reached any git history on any repo on this host.
- Literal
-
PEM private key confirmation — confirm the injected GitHub App PEM private key (the durable credential) was never written outside an isolated home directory. Only ephemeral 1-hour installation tokens were observed leaking in groombook's case; those have expired and are no longer valid. If platform telemetry shows the PEM itself was ever written to a CWD, that is a real key rotation event.
Tenant-side actions already taken / in progress
.gitignorehardening for groombook repos: tracked under GRO-2516 (does not depend on this escalation).- Leaked token files deleted from
groombook/infraworking tree. - This issue does not block any groombook engineering work.
Response requested
Please confirm the three items above are addressed, or indicate if any part is in fact tenant-fixable and we will take it back via GRO-2517.