diff --git a/.env.example b/.env.example
index fc6e1edc..f6f38291 100644
--- a/.env.example
+++ b/.env.example
@@ -31,6 +31,10 @@ PLUGINS_DIR=                   # Path to plugins/ directory (default: /plugins i
 # Observability (Awareness)
 # AWARENESS_URL=                         # If set, injected into workspace containers along with a deterministic AWARENESS_NAMESPACE derived from workspace ID. Enables the cross-session memory MCP server.
 
+# GitHub
+# GITHUB_REPO=owner/repo                 # Target repo for agent initial_prompt clone (e.g. Molecule-AI/molecule-monorepo). Read inside workspace containers.
+# GITHUB_TOKEN=                          # Personal access token / installation token used by agents that clone private repos. Register as a global secret via POST /admin/secrets for propagation to workspace env. Token is used in-URL during clone and then scrubbed from .git/config via `git remote set-url`.
+
 # Webhooks
 # GITHUB_WEBHOOK_SECRET=                 # HMAC secret used to verify incoming GitHub webhook payloads at /webhooks/github.
 
diff --git a/org-templates/molecule-dev/org.yaml b/org-templates/molecule-dev/org.yaml
index 040d48c4..a0f3f6d0 100644
--- a/org-templates/molecule-dev/org.yaml
+++ b/org-templates/molecule-dev/org.yaml
@@ -16,9 +16,13 @@ defaults:
   # be ready yet. Keep it local: clone, read, memorize. Wait for tasks.
   initial_prompt: |
     You just started. Set up your environment silently — do NOT contact other agents yet.
-    1. Clone the repo (authenticated when GITHUB_TOKEN is available, anonymous otherwise):
+    1. Clone the repo (authenticated when GITHUB_TOKEN is available, anonymous otherwise).
+       When a token is present, use it in-URL ONLY for the clone, then immediately scrub
+       the remote URL so the token is never persisted to /workspace/repo/.git/config:
        if [ -n "$GITHUB_TOKEN" ]; then
-         git clone "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPO}.git" /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)
+         git clone "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPO}.git" /workspace/repo 2>/dev/null \
+           && (cd /workspace/repo && git remote set-url origin "https://github.com/${GITHUB_REPO}.git") \
+           || (cd /workspace/repo && git pull)
        else
          git clone "https://github.com/${GITHUB_REPO}.git" /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)
        fi