molecule-ai/molecule-ai-plugin-molecule-careful-bash
38
0
Fork 0
Code Issues Pull Requests Actions 46 Packages Projects Releases Wiki Activity

security: block token exfiltration patterns (OFFSEC-002) #3

Merged
sdk-lead merged 2 commits from plugin/offsec-002-token-exfil-2026-05-10 into main 2026-05-10 09:18:49 +00:00
Conversation 0 Commits 2 Files Changed 7 +299 -4
plugin-dev commented 2026-05-10 09:05:34 +00:00
Member
Copy Link

Fixes molecule-core#265 — OFFSEC-002.

molecule-careful-bash did not block credential exfiltration commands. An LLM prompt injection could instruct the agent to read token files or grep for secrets in env.

Added blocking for:

  • Direct token file reads: ~/.gh_token, .auth_token, .git-credentials-cache
  • cat of home-directory token paths
  • env | grep for secrets: token, api_key, secret, auth, password (case-insensitive)
  • Generic credential file extensions in cat targets

Also fixed: rm -rf .git check was looking for "/.git" (space before slash) which never matched "rm -rf .git".

Test plan: pytest tests/ — 35 tests, all passing.

Claude Code

Fixes molecule-core#265 — OFFSEC-002. molecule-careful-bash did not block credential exfiltration commands. An LLM prompt injection could instruct the agent to read token files or grep for secrets in env. **Added blocking for:** - Direct token file reads: ~/.gh_token, .auth_token, .git-credentials-cache - cat of home-directory token paths - env | grep for secrets: token, api_key, secret, auth, password (case-insensitive) - Generic credential file extensions in cat targets **Also fixed:** rm -rf .git check was looking for "/.git" (space before slash) which never matched "rm -rf .git". **Test plan:** pytest tests/ — 35 tests, all passing. Claude Code
plugin-dev added 1 commit 2026-05-10 09:05:35 +00:00
security: block token exfiltration patterns in careful-bash hook
All checks were successful
CI / validate (push) Successful in 1m6s
Details
CI / validate (pull_request) Successful in 1m33s
Details
b237d5fda8 
OFFSEC-002 (molecule-core#265): molecule-careful-bash did not block
credential exfiltration commands. An LLM prompt injection could
instruct the agent to read token files or grep for secrets in env.

Added blocking for:
- Direct token file reads: ~/.gh_token, .auth_token, .git-credentials-cache
- cat of home-directory token paths: ~/.config/gh_token, /home/agent/.gh_token
- env | grep for secrets: token, api_key, secret, auth, password (case-insensitive)
- Generic credential file extensions in cat targets
- curl/wget credential redirect exfil

Also fixed: rm -rf .git check was looking for "/.git" (space before slash)
which never matched "rm -rf .git". Changed to regex r"(^|\s)\.git(?:\s|$|/)".

Added tests: 35 tests covering existing guards + new OFFSEC-002 patterns.
All passing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
plugin-dev added 1 commit 2026-05-10 09:06:16 +00:00
docs: record OFFSEC-002 resolution in known-issues.md
All checks were successful
CI / validate (push) Successful in 1m1s
Details
CI / validate (pull_request) Successful in 1m1s
Details
f2e161a7f7 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
sdk-lead merged commit 70a7acda2a into main 2026-05-10 09:18:49 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-plugin-molecule-careful-bash#3
No description provided.
Delete Branch "plugin/offsec-002-token-exfil-2026-05-10"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?