From b237d5fda8c8129fec162941f25475100318917c Mon Sep 17 00:00:00 2001
From: Molecule AI Plugin-Dev <plugin-dev@agents.moleculesai.app>
Date: Sun, 10 May 2026 09:04:07 +0000
Subject: [PATCH 1/2] security: block token exfiltration patterns in
 careful-bash hook

OFFSEC-002 (molecule-core#265): molecule-careful-bash did not block
credential exfiltration commands. An LLM prompt injection could
instruct the agent to read token files or grep for secrets in env.

Added blocking for:
- Direct token file reads: ~/.gh_token, .auth_token, .git-credentials-cache
- cat of home-directory token paths: ~/.config/gh_token, /home/agent/.gh_token
- env | grep for secrets: token, api_key, secret, auth, password (case-insensitive)
- Generic credential file extensions in cat targets
- curl/wget credential redirect exfil

Also fixed: rm -rf .git check was looking for "/.git" (space before slash)
which never matched "rm -rf .git". Changed to regex r"(^|\s)\.git(?:\s|$|/)".

Added tests: 35 tests covering existing guards + new OFFSEC-002 patterns.
All passing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .molecule-ci/scripts/requirements.txt         |   1 +
 .molecule-ci/scripts/validate-plugin.py       |  10 +-
 hooks/pre-bash-careful.py                     |  51 ++++-
 pytest.ini                                    |   6 +
 ..._bash_careful.cpython-311-pytest-9.0.3.pyc | Bin 0 -> 43489 bytes
 tests/test_pre_bash_careful.py                | 210 ++++++++++++++++++
 6 files changed, 275 insertions(+), 3 deletions(-)
 create mode 100644 pytest.ini
 create mode 100644 tests/__pycache__/test_pre_bash_careful.cpython-311-pytest-9.0.3.pyc
 create mode 100644 tests/test_pre_bash_careful.py

diff --git a/.molecule-ci/scripts/requirements.txt b/.molecule-ci/scripts/requirements.txt
index 3aecde9..a08df0d 100644
--- a/.molecule-ci/scripts/requirements.txt
+++ b/.molecule-ci/scripts/requirements.txt
@@ -1 +1,2 @@
 pyyaml>=6.0
+
diff --git a/.molecule-ci/scripts/validate-plugin.py b/.molecule-ci/scripts/validate-plugin.py
index 9e59e27..d463cb6 100644
--- a/.molecule-ci/scripts/validate-plugin.py
+++ b/.molecule-ci/scripts/validate-plugin.py
@@ -4,6 +4,7 @@ import os, sys, yaml
 
 errors = []
 
+# 1. plugin.yaml exists
 if not os.path.isfile("plugin.yaml"):
     print("::error::plugin.yaml not found at repo root")
     sys.exit(1)
@@ -11,23 +12,28 @@ if not os.path.isfile("plugin.yaml"):
 with open("plugin.yaml") as f:
     plugin = yaml.safe_load(f)
 
+# 2. Required fields
 for field in ["name", "version", "description"]:
     if not plugin.get(field):
         errors.append(f"Missing required field: {field}")
 
+# 3. Version format
 v = str(plugin.get("version", ""))
 if v and not all(c in "0123456789." for c in v):
     errors.append(f"Invalid version format: {v}")
 
+# 4. Runtimes type
 runtimes = plugin.get("runtimes")
 if runtimes is not None and not isinstance(runtimes, list):
     errors.append(f"runtimes must be a list, got {type(runtimes).__name__}")
 
+# 5. Has content
 content_paths = ["SKILL.md", "hooks", "skills", "rules"]
 found = [p for p in content_paths if os.path.exists(p)]
 if not found:
     errors.append("Plugin must contain at least one of: SKILL.md, hooks/, skills/, rules/")
 
+# 6. SKILL.md formatting check
 if os.path.isfile("SKILL.md"):
     with open("SKILL.md") as f:
         first_line = f.readline().strip()
@@ -39,9 +45,9 @@ if errors:
         print(f"::error::{e}")
     sys.exit(1)
 
-pn = plugin["name"]; pv = plugin["version"]
-print(f"\u2713 plugin.yaml valid: {pn} v{pv}")
+print(f"✓ plugin.yaml valid: {plugin['name']} v{plugin['version']}")
 if found:
     print(f"  Content: {', '.join(found)}")
 if runtimes:
     print(f"  Runtimes: {', '.join(runtimes)}")
+
diff --git a/hooks/pre-bash-careful.py b/hooks/pre-bash-careful.py
index 32b6131..9989a25 100755
--- a/hooks/pre-bash-careful.py
+++ b/hooks/pre-bash-careful.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 """PreToolUse:Bash — enforce careful-mode patterns on shell commands."""
+import re
 import sys
 import os
 sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
@@ -44,7 +45,7 @@ def main() -> None:
             if "migrations" in cmd:
                 deny_pretooluse("careful-mode: rm -rf inside a migrations dir is REFUSED.")
             deny_pretooluse(f"careful-mode: rm -rf at filesystem root, HOME, or .git is REFUSED. Command: {cmd[:200]}")
-        if "/.git" in cmd:
+        if re.search(r"(^|\s)\.git(?:\s|$|/)", cmd):
             deny_pretooluse("careful-mode: rm -rf .git is REFUSED. Re-clone if you need a fresh repo.")
 
     # WARN list — log but allow
@@ -53,6 +54,54 @@ def main() -> None:
     if "gh pr close" in cmd or "gh issue close" in cmd:
         warn_to_stderr("[careful-mode WARN] closing a PR/issue is irreversible from this bot's standpoint. Confirm intent.")
 
+    # Token exfiltration — OFFSEC-002 / CRED-2
+    # Block direct reads of known token file paths
+    token_paths = [
+        ".gh_token",
+        ".git-credentials-cache",
+        ".auth_token",
+        "gh_token",
+        "git-credentials-cache",
+        ".auth-token",
+        ".claude/.gh_token",
+        "~/.gh_token",
+    ]
+    # Also block cat of any path containing token-like segments
+    if re.search(r"cat\s+.*(~|/home/[^/]+/)\S*(token|gh_token|git.credential|auth)", cmd, re.IGNORECASE):
+        deny_pretooluse(
+            "careful-mode: potential credential file read REFUSED. "
+            "Token files must not be read in the agent context. "
+            "Use platform-managed secrets instead."
+        )
+    if any(tok in cmd for tok in token_paths):
+        deny_pretooluse(
+            "careful-mode: token file read REFUSED. "
+            "Token files must not be read in the agent context. "
+            "Use platform-managed secrets instead."
+        )
+
+    # Block env | grep for secrets (common exfil staging pattern)
+    # Matches: env | grep token; env|grep -i API_KEY; env | grep secret
+    if re.search(r"env\s*\|\s*grep\s+(-i\s+)?(token|api_key|secret|auth|password|passwd)", cmd, re.IGNORECASE):
+        deny_pretooluse(
+            "careful-mode: env grep for secrets REFUSED. "
+            "Reading environment variables for secrets is not permitted in agent context."
+        )
+
+    # Block generic cat of potential credential file extensions or token-named files
+    if re.search(r"cat\s+.*(\.gh_token|\.git-credential|\.auth_token|auth_token|gh_token)", cmd, re.IGNORECASE):
+        deny_pretooluse(
+            "careful-mode: potential credential file read REFUSED. "
+            "Token files must not be read in the agent context."
+        )
+
+    # Block curl/wget exfiltration of credentials to external endpoints
+    if re.search(r"(curl|wget)\s+.*(Authorization|Bearer|token|key).*\s+>", cmd):
+        deny_pretooluse(
+            "careful-mode: credential exfiltration via redirect REFUSED. "
+            "Do not redirect credentials to external endpoints."
+        )
+
 
 if __name__ == "__main__":
     try:
diff --git a/pytest.ini b/pytest.ini
new file mode 100644
index 0000000..7aa90b9
--- /dev/null
+++ b/pytest.ini
@@ -0,0 +1,6 @@
+[pytest]
+testpaths = tests
+python_files = test_*.py
+python_classes = Test*
+python_functions = test_*
+addopts = -v
\ No newline at end of file
diff --git a/tests/__pycache__/test_pre_bash_careful.cpython-311-pytest-9.0.3.pyc b/tests/__pycache__/test_pre_bash_careful.cpython-311-pytest-9.0.3.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..8edd926e970f6a9cfdc31cecc9bb292315479f1e
GIT binary patch
literal 43489
zcmeHQYi!(BcILbvdW<Deem|JClX&7t<F{p7wj<lJ<HRd_ZKv62lVwLkN}@e8oLqAJ
zm>p%+H0?U6x5;i@INfFuwaq#<(hY*5DDtB}HbE1hK!3~xvyDK&K!9R@^q;(Tfgrzn
z&gGCp&O;vAV{Ooq(i~pid+xpD<-OlM=iCS1@8}3Ka10z{&PuBp=D+a5ID%!zoey0M
zbBz(0QAThH?xbtfP0yZ`H{o_MDc`8yrH2GY12iN!8l>mYXo#M}qhWe(8*PKLC)u9r
z810~Oyvfc~WHeHazhrcY7(Ux&+`vq?;j*3uml(3}^jO0Tw~d1}e644(_c}b)2k_Gm
z!6*2yd%y>N`f=S2SMbvhxWm9}%;-`f2y~g7Im!s3*BBve=Nes3L)svuy((k{4e5Z8
z&Z>}=G$aBcOR7Rv(U2|(>8=V{O+$Jhgslo$Be+j9(cav~=hBkOsiLAP+_+4*3=#Xr
z;>u)SB2L8dY_dOdiJO$=bN&B~4>%HaY2K4@brR1hIdSeAcYnX;Lk1;b77{Razz>V)
z&WAv+F{&l(tm(#=oo6JM<gyp?luPwN-12d@Qq<t{f#J<extrqhs39{7bJk2(@YIi;
zueuj|vF%`7OoQ~id3V#izPzVtUcUeps+L;_3ZbNb%A5C|4H(ZiV>Cs>gPw)3YH1*6
zX+y?<nKm0+`Jw@DdtKg@6<_-s6xxJ#q2sz2-WUAz!~P6YKHHsl8eG<M-e*sB%Afb0
zjTjs=OAMFwocG(~xR|_u#)Jwh=XJQK)Fx=SA^fx7rHe_ot!K6{iuZ#1qUQzXg3HCc
z0CnKo#GQB72SEGt<vq=CjUy;@=Ax&iR5lq`MeZaK&&YD}IYr!a5Kw_a0Vk!;%Za!u
z$?1MAtU@p^r88Mo3nb)JDxMZ{A?1?Nuc(5Q&V|cPIjfp(k&s*v{l$xtYJ&}g21M#R
zejwPF!0ot3ZUWJ~30V*oWZ=FTj$M$+IVBTMh%q8&WF?l8lVT#96b;y-7#5?jMkx=t
z#v`ur6<qr!IGBv5#)SC(+)9#7^AzR=lkjLsWq-dBwj6R)@OGw|8)v4OJK$mn;{Ax$
zR!)mg$pS%SA;_2Ose_@>9?g4Jk<*$_$fh!i=9XkFcv>Y=dg9m#f^9_eW#VdLQtOmb
z8JVa_X{<l1N=eO2=`tlFCirn8r}%LxDe`!i_yRPytY}_{ISJ{@Qd$cL5=qBXq88+J
zPF`CAw+BU|$HsIte^QPMBGKB!i;$`w40s-g_`wNLJs(eI#b`haB~n89)rRTY<b}8z
z*Zkmy*GbRtDz%V#$C{TW?|~E*L?uo?2=)eA&?sZ_1YBa{RsI~xahmyESMSx8Z@+ls
z*hiNNn}!Oj4;H%)mAVd1KXa=ia^(lFzjWoL=_6KWsN>4Yx1Rk~_j{{uj20gmC_OSz
z4DBw3cF!?wz8*?$QI_K~j}=4FQYbp-F#>*972q=h{>RURJ0aO;3fva>FNU_3LR;qo
zM(|va39T&z*XaMVk>yuj`7*NOi^z`I_7%6<JFgsl^Y|Obf7$)cvUk`0V%@Ko7gua8
zt=Rg};g26L9QuB-{e@Ed3%7lqCE>dakjq|34N^#d+1d9+XWtE>*txCLx$UxNHrRfp
z?aSc0FM{i4JjLLKQgA~dxM4Qf_Ga*n;OpTl;mhH<W#%2>!`?=6*L>_s0aUrZ{`%`G
zpL&=7ms4BLw0FOG;Ee;tw$-J!)o+i#EB`_+u8oz}#tLn*f;Xo880zCEk1aj2!Sl)B
z(jy(dPrH{5?+knzJ@~}%y3l7m?QrqgI`8oMj?dP6(EXST-H%iE6YUV;vz^}IJ#C-u
z@t}L33*GzC{kf|h68*fxd!#G$d6x&>tP9<})V;xbWMkm-O)j7|Bt%G{0@P-JylYIJ
znE{X5!w&KaNZhBHP?Ov<rXXfbS8&@qP{Fgp3~nTtRSQj1Zs?To32F|(D^&?I4fv|M
z{?p8QMzy3^5#%;7#EYFWKKTVk@1&#t-0&$;&5|^yPKsPcBq>Qz04@)U2?@^}A}I|U
zmx!Wrf|!=#NiGw=gvj_L2ZHd3oEG~>G*_5{z1EGr!)X9dX<SO2$g0@ib=M{w^=m!_
zU_Aq;Oj1$_iXNH|Q&lt%V5=5+=JbgXxDV*fh6#~L)T8+UO)<SNy%|0!r9~}Jz83{6
z0l=t^q3xMCQAA$9U9t;;Ho#B03S^r3s;%qI!8Zn9-+yKQ9OLq_vyq<5>YUr}W54QM
zb?wEUzxcBsUj5;hz0ogvqc=7bdt;^E*hj8X@7BxVTir{qKJoTwv3p~wd*kK6Y-H)1
zKYHUwg;lYSx{HzRrO5U#BLiPV1`4~sTa1j9A|r+1$k(^pBBi!<G@}ZkSwf~B$R0pP
zLBaFwq3A(3^Qk*>u-Ee`>jIhpU-K|3;hoLkb&V03Q5UF?P?1MHf*X`5uiydd6TCqE
zf)8jw@B<AB0T2#?TF)8KT~2|jqKHRik`Pa3mC4-Z;fs=@Lg&g&WaC8G!%cvalYtPf
zuMf1GgvhBfhy7hF6<1V|^xN7Vc3rgX9f$tOuDl3U>cNY^G35eP1o_KHO>2M$0YTl9
z_nt$!fdSFir~JOY`XPAozHyg8xyRjh0b20YS3T?)aGp_C*wRLsgdQr*U3c5tII+ht
z6^h0&(k|45o4g;k{{2*!6S4D|cTvp;dHZcCRyaNO=W4*^wQ~u9cf2_$r71ruRe8VU
zqE`XcqBhu4G8M{vz@C!*>Q$)77hO{x`1z*1RF(~o<W|>IMVUwwQkqsr%?nNY(oNSl
z?tS}ix^kNz-I%$wEvkfnRCaLtICO1}DjV^<C8|WjQ`|n?cV|?gkU+M>JHF}FJiv%#
z3zBU}c7D?tR}_(`G?jrUKvL$?z|Am~$Y@+G{8Z)=ip_kSXk8#ICzCu#*aRedfF4n6
zhhTmzD<z?EDJVyxu&gcTl}S096eue{k(9^cNuElfAzq1(i<pAeIYhGt^rg6`_3+RV
zQ*o6SFJ_YQG!<uW20?@rljHOeG#9V6VSf5OZ?#_RuwHD}FZASgSub`gs1oZ^sDYvD
z>EoesLlG4o-Ug4rfH#v6c~#~S7IM4lph|xe5wYm+>;X)hW^S>o3v2ck*})P!_<HEF
z|1H<8$f~!G6eH_Pk@baO-^_U+g~<Au^It^z&`JM)8|*6??y@JcfU{_X=q%<X1nE9M
z&6|ET9@fN7E;A<Fl|6BbhsgxDs&nay&zv{o01LSFEKI8V0I$xj^T4B7W0}lW2SE+r
z!DA?d@=-DHICyN7N$c=<Sp|>BLGCl5nCykT$RLvaNKn|KutW}^>oAgGBu9{(08$5Q
z)-`|(6KA$90B4Ly1CW;$V|EtVT_tvxgE0=qK+VA8tRwU3<xr6f|DZD8+6u;$)ejSB
zQ2S^J)I8b%YARw4W|iB$0Kl<FMJQA(qRqY{yT8QlcVMR_u=8}QR82-#HM8@pnQp3P
zdQd5?Q8T?ws&#gy@nJ!Zw`sN4u0ERgQ>{KOK+W{o#Ec4<+@G51H`UC55PYa=W@se0
zz7gb%i*YcFiLv-t;-(A6A(ZCzOi7`7qfO6Th&1#hg(y%d<qP!`ukxMoV<etVOy-_y
zh*V9c@KhCG9W1hkO6;LJfVF8xEd)2AE~XYDo6t%Be;eFXGTdcP$`agEG(vP1^Afmp
zAJoOlk!w7xiJM$zOjNyWF)bb@6V=6#OHX`8HRAvaxb-Yds`~)1&aU%7Y-=o&+3J`_
z7jpoMiWrRD<^#4V2e6n0+r<E|SQD^J*+@zg9txSnk=&R5waSV(X*4$_O^Z)1b}xXb
zihwGgRRG#nWVe^t?GBzS5Kl&;Asn4X`ykJ2VZJ;74eoZHe>odZmO}zOFUSd=C(q;i
zA4T#Kk})I#5}d(8A&QQUkllERWDEQh5y-UpH|yO~@a~!Ox_$j~j7fr~i~7}GK8eg_
z0-@GRGeExs%(wo)#s&zv_rL}WX85(Gl`45uf>8}cRG)_Ni(G%b@eG2&FrYCB99(<?
z%$6{ch1N@FGy^ANln=*x_RvQ&Y!y*QZx~kt^lpU-Z8e2(!(30Z;<3i-c6y8b%-Ue=
zruwQ#$DwAB?;~+6&CbZ*B9Hvp+RD?zLx*44Mlri3ZRI<S+6tX2r?(i30jQ}KQ;B-A
ziFV^?1$wvRXa#yXfGzs|N6SGgprbRjZDz}ZDh3;AODP)?Ed7I==BvyQ2kMJtdJoe?
z0%xEgnj5WgtPnMZ3*8n$`{|KrfS^cE#*s`QnM9IAl17q2Ql%1{ML#6R;HMk~VpRzS
z3f_Txs|521{g`rnp&#eC-dpI`XETB5AJCRp>e=b<9X||HFi19`O6SGgzG~tB@Tn6g
zxidotj}ONV55alp^sp)ar{#1X)@@EnOo}kM$<YNIU0{)BHm%AiFDJRa1owEQf^sm)
zhA4X<Z;5zgR|NzjXLvO}1~c0;L>6*88Z{uhGEf!mMQEp1c-~WF_m<ebb&NXBgq@l>
zKKisBM~z|}HEQwHC@yu0;*40v8M6yS6ySxi)?kf&<_-l7T>Jt{h{|v?umHHR#r$JH
z9IF}mK#_f_#6IO9jx&x9HRGX8-EoGc?rT_zYbez4C}x9X^MFHCI?$9ANs2R|gJROW
zF2U#S0W^(c3QYrzqj}D!dDfqc>{z;>dcomXy7Y2*P)paNRbma*?>PmQQ;*3PdGWlM
zR#A_7K(w(9h#P2A&Lp>eevzgMY09zC2xApz4j0+s5<6T+oN-WQK9m`W2J70lvQWO{
zB9a`EJd!FSmx6vsUVxwSM?kDbuA>F-(S;eg<{#+BjOyFG?sElSXQkSmN}U?dJzj0^
zA}OwqjB|07BeJaG;>>=SEaF(U9Lv@sS+;`Z8W?Md8EYAp?#vPG6i>!^tk}87><z(g
zw<0DV+PUxSHrANIvR!s#iQQNSa2<=4W3hs|Qa<d0nq#qAJd2e9AFn(#_?VPaVl(i8
zd@9rj@+U}~=`T(zSiDxyR_;Vmc56vPSXrkZg|vCt0Vx-~cUM|wMbTQR^rkNr*-a&O
zlhd0z)>x<*jx`nv0n4GX_NjUy<)W@?T4o61YAO>`5(IZl>x1_Gpk|R36iSTQJXF$#
z94L}(tcN7^IH_j-G8EQ4{i<U$q}9nW8tTP>E$e}%$MuxkLmGCIDlel@9<(j2t!)d|
z<a2%ZY!FuVX?RAfd2nly-Bx0^)#+ay^WgmE!BAcEAeJxrQzU<e<R?g8M^a@Yd<FfG
zq~KSxHfBq~yXD?C!m5=s)_HOBn+!4E`X)mHA<a&c(>MJB8lt-^hjC|R*eN;;v|WI`
zlt(*+cA%XC?4CRt5jue`5n#XM(Jo;L&~5>CNFMDGx?#FqkG2MD@frD?m>#|eJ8G)X
zmB7wK2Vp~_bFgh#Zs5d`Bd3QC^=;m~br0+n25g*Y;e(yxR9H=)R=89a=Gu*k+!)3b
z1;;4q7$q0UC>enrV7XUf{S%Y0F$`4DmgrQvAY|AkAqU<_Uf&X{VT-XFE3FYPLld{o
zu<I|fu@W1r(*rp6O2=Lam8E<*_DaiV2NrdU!VW~1*5b+<DpXo=MUXAnvUlFzxE5Qi
zk*`2~u?&asMYgZR_Brs<5(AF21F8W>b!NIaJD@InN*(Ngx(?wbh87$&1@|S02%Da&
zu>Z0GyZ6JYm6ixHkJSJU+IuZ|!QQ5jSMKlvk*97dZ$TxoD!KcM?12({z`-B~gUayn
z&<x2A2Hh71QRS&Wo>g0^Jn56`tU^vD1AXJY1*lJzs8^v5k-tRZ4A?pYwu?7ly9)bh
zFfbV3)``*f($_j;!-kqZ+Q^Ep)c)MT1@_Q&(s&yi&v~Z>K?yiZ)fRED|0QDjJeTJt
zVE=pFh};s<*51uP7CdI48vz&8&Df*91C_%n#Kwy3<`TQv5n>%77I6a(M~E$#L*v;H
zi)yFqwZKcC#0{N1#y>m!LQ62lu0ESUk-+7zu+N;BRwTMN#X{8QhN;Xzv09O5dy(By
zVs|*m;~<aT;2h*J%HdmrJY5##QADt+wPr@AeS;4ZFZ3L8dlsMwRK<O-3Sl-E*)1h@
zi-Rx@!Wb>f+%LZIM|K?J!{QkqI-mvTsp5pDfR@NK_W9x_LSXv(BKsz-bGDc_p#G4b
zA#sdzPWxEA_R#~i&@e4z-~)N^L2RKVtwf*xX&AB1x^Co=8@!)h*ogg)RsC?|*`Ur`
zAZIR6xod`#GZ*L&H5X_Z9jw<Sa3xkT%eMq;Hq{IOR0invuh)wgRkSt8X(e}T0l)({
zZ5ivYPU<7<u77~U>9d_ad-3}0rR4#&gq$9iCSu0S+Lkn>M{1gqDkWi22pz5CVY>Qc
zj_zdKq>PIVs5*gvh8ANr)9om-J4@_NM~QZnXs8)@I0FRba`={*=~mFr8yEe@;uA2(
zuEmQ5xEjpCtgMi;e}R2=Rs4^kIIV~?P-J(P*xe4|v;=XS#i)8~wJR6S7u>K^?&k|`
zVcjG#DaM5dU4y!wB1?Idb@?-FXo|QXsgrUR77oCKhulyT;4*&_|BCoh+56$eBKt&%
zeWDJ$IBQeqTbt@^kf{SnWtW7;V+ans+%LS)RY|Adi%H)d?oT~1!swq$GWKx*$bwbB
zJbXMu*Oy>Lu&C%?puLB}G;a#OvExhQrAZFHIQXJth+P=DFYAo6)AxOeFA>X#%E_TK
zPd}&(^QcvZp))kcWr7f+8&i385+Fy(9co^RX_&~rLEX8t$Ji0Fu%_`6YX@lN1DcU2
zTX&O<pF;T(T;xUm3dvt1xrXF#ko+x@Um|%I$=@OQ2PD5j@;;KANIpRFYa~^BbNmJR
zA;B#?lrVjd#ty!--h&12!3FQlQMFaax8!o39Yf~dKm-e?{stmzA!NP{L}0TIpVp3T
z?D;rJAD0w0xApm<QzKjwoO|H2Szs37;KTN5S(U~mQQ*e1DwmK`DcE?MgD;9CL{Wf`
zXt^O9<3Qt%2Yz>&RG{5c9u@h^N8WA6_$jZzO!@NOye|toN96s=?^Wv_8fHwvo%fHs
z1P^kKyRUm0<^%ZYhu~GseT2XaXU4w{!5<h*%y~vxVN3gA&3Sq79;m8}2y46Vig~Sy
z52R~f1J0^_%NlU`?C(Y}b~g(M0U?+VNG>{B5LCO&LS<|znQtK<w5MdhdetQ`7hO|c
z`1z-N0t2-aK6dydEH33TS!EJF>I{8FLhM6*w=XHetXtUiTAGm3+_)H5vqX$tY_@y4
z86qd)W;K5zo>49-WIJ4t?;$yb<TR2qNS;H2n};j-5S($)Pit%Xnu80_gcP3M8db%4
zdTTklMVisP^u_x1IsXGwxAarb7TMz^_PC>PFYpWM4je&6f@9GX?kbr1{{csliAm@I
zxkOS1_}Q{`TeFBm{s~@9JrL=o60r^qm@2B=8It>swRg6{M}?;VDUuJ7;E4T5)L&Oj
z!vRY2FG$)9R*GJP4)`Paclap-Kn(F}nwj+u7QBNfV9g_)Fh(fNpQaaGOTRy=1;?_m
zeHg5XAjcqGZ3UmXgpb(|bFxH&dy4fF@dA-lQ45(~TA=JljzS#Lg9LjNvI3Lv08DFc
zB5DB~woOW71Z4m%m`zKt=@@($6uW)RujfNn(hFRZK~%B|F34&mYmneaNXafFyOH46
zO6hkZ=tgi<;?#@AUR>V<2UD_;O^W-;ClCX~QAYVspmQFV%k>r0Uts!YttD6~OX><u
z)4y4!ZJPegGNw;>n*LdQmKPY?|17hjVE_M$>6oT}UooE7f<KA88hOk0*4C@Lt_}Wt
zaK`;!;Qh$oM?MM`x!omh_s83Rv#i*2tkiR?$UIYGo+&WT%=x=qo97slYz({DImRR_
zdtLC_Ysqc&yITp^+<|<x<Tm=<tpspg$X82lqu<?1z{c7v>21{HJLJLy>(krR|E@Lk
TX?F<uYsqc&yIUuK*69BQ(xoky

literal 0
HcmV?d00001

diff --git a/tests/test_pre_bash_careful.py b/tests/test_pre_bash_careful.py
new file mode 100644
index 0000000..7092397
--- /dev/null
+++ b/tests/test_pre_bash_careful.py
@@ -0,0 +1,210 @@
+#!/usr/bin/env python3
+"""Unit tests for pre-bash-careful.py hook."""
+import io
+import json
+import os
+import sys
+import re
+from pathlib import Path
+from unittest import mock
+
+import pytest
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "hooks"))
+
+
+def run_hook(cmd_input):
+    """Simulate PreToolUse:Bash hook invocation."""
+    stdin_data = json.dumps({"tool_input": {"command": cmd_input}})
+    stdout = io.StringIO()
+    stderr = io.StringIO()
+    with mock.patch("sys.stdin", io.StringIO(stdin_data)), \
+         mock.patch("sys.stdout", stdout), \
+         mock.patch("sys.stderr", stderr), \
+         mock.patch("sys.exit", lambda code: None):
+        import importlib.util
+        spec = importlib.util.spec_from_file_location(
+            "careful_mod",
+            os.path.join(os.path.dirname(__file__), "..", "hooks", "pre-bash-careful.py"),
+        )
+        mod = importlib.util.module_from_spec(spec)
+        spec.loader.exec_module(mod)
+        mod.main()
+    return stdout.getvalue(), stderr.getvalue()
+
+
+def parse_denial(output):
+    """Return the permissionDecision from the first denial payload, or None."""
+    if not output.strip():
+        return None
+    try:
+        # Handle multiple JSON lines (hook may emit multiple denials)
+        first_line = output.strip().split("\n")[0]
+        payload = json.loads(first_line)
+        return payload.get("hookSpecificOutput", {}).get("permissionDecision")
+    except json.JSONDecodeError:
+        return None
+
+
+class TestRefuseForcePush:
+    """Existing guard: git push --force to main/master."""
+
+    def test_refuses_git_push_force_to_main(self):
+        output, _ = run_hook("git push --force origin main")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_git_push_f_to_main(self):
+        output, _ = run_hook("git push -f origin main")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_git_push_force_to_master(self):
+        output, _ = run_hook("git push --force origin master")
+        assert parse_denial(output) == "deny"
+
+    def test_allows_git_push_force_to_feature_branch(self):
+        output, _ = run_hook("git push --force origin feature/abc")
+        assert parse_denial(output) is None
+
+    def test_allows_normal_git_push(self):
+        output, _ = run_hook("git push origin main")
+        assert parse_denial(output) is None
+
+
+class TestRefuseGitResetHard:
+    """Existing guard: git reset --hard against main."""
+
+    def test_refuses_reset_hard_main(self):
+        output, _ = run_hook("git reset --hard origin/main")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_reset_hard_space_main(self):
+        output, _ = run_hook("git reset --hard HEAD~3 main")
+        assert parse_denial(output) == "deny"
+
+    def test_allows_reset_hard_on_feature_branch(self):
+        output, _ = run_hook("git reset --hard HEAD~1")
+        assert parse_denial(output) is None
+
+
+class TestRefuseSQLDestructive:
+    """Existing guard: DROP TABLE/DATABASE against non-test schemas."""
+
+    def test_refuses_drop_table_prod(self):
+        output, _ = run_hook("psql -c 'DROP TABLE users;'")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_drop_database_prod(self):
+        output, _ = run_hook("mysql -e 'DROP DATABASE prod_db'")
+        assert parse_denial(output) == "deny"
+
+    def test_allows_drop_on_test_schema(self):
+        output, _ = run_hook("psql -c 'DROP TABLE users_test;'")
+        assert parse_denial(output) is None
+
+    def test_allows_drop_on_sandbox(self):
+        output, _ = run_hook("mysql -e 'DROP TABLE sandbox_events;'")
+        assert parse_denial(output) is None
+
+
+class TestRefuseRmRf:
+    """Existing guard: rm -rf at root or .git."""
+
+    def test_refuses_rm_rf_root(self):
+        output, _ = run_hook("rm -rf /")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_rm_rf_home(self):
+        output, _ = run_hook("rm -rf ~")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_rm_rf_git_dir(self):
+        output, _ = run_hook("rm -rf .git")
+        assert parse_denial(output) == "deny"
+
+    def test_allows_rm_rf_tmp_dir(self):
+        output, _ = run_hook("rm -rf /tmp/scratch-dir")
+        assert parse_denial(output) is None
+
+    def test_allows_rm_rf_node_modules(self):
+        output, _ = run_hook("rm -rf node_modules")
+        assert parse_denial(output) is None
+
+
+class TestTokenExfiltrationBlocking:
+    """OFFSEC-002: token exfiltration patterns must be blocked."""
+
+    def test_refuses_cat_gh_token(self):
+        output, _ = run_hook("cat ~/.gh_token")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_cat_dot_gh_token(self):
+        output, _ = run_hook("cat .gh_token")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_cat_git_credentials_cache(self):
+        output, _ = run_hook("cat /tmp/.git-credentials-cache")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_cat_auth_token(self):
+        output, _ = run_hook("cat .auth_token")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_cat_molecule_auth_token(self):
+        output, _ = run_hook("cat ~/.molecule/.auth-token")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_env_grep_token(self):
+        output, _ = run_hook("env | grep token")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_env_grep_case_insensitive(self):
+        output, _ = run_hook("env | grep -i API_KEY")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_env_grep_secret(self):
+        output, _ = run_hook("env | grep secret")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_env_grep_auth(self):
+        output, _ = run_hook("env|grep auth")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_env_grep_password(self):
+        output, _ = run_hook("env | grep password")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_cat_credential_file_extensions(self):
+        output, _ = run_hook("cat /secrets/auth_token")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_cat_tilde_token_path(self):
+        output, _ = run_hook("cat ~/.config/gh_token")
+        assert parse_denial(output) == "deny"
+
+    def test_refuses_cat_home_token_path(self):
+        output, _ = run_hook("cat /home/agent/.gh_token")
+        assert parse_denial(output) == "deny"
+
+    def test_allows_normal_env_without_grep(self):
+        output, _ = run_hook("env | head")
+        assert parse_denial(output) is None
+
+    def test_allows_reading_nontoken_files(self):
+        output, _ = run_hook("cat README.md")
+        assert parse_denial(output) is None
+
+    def test_allows_grep_for_nonsecret_things(self):
+        output, _ = run_hook("env | grep PATH")
+        assert parse_denial(output) is None
+
+
+class TestWarnList:
+    """WARN list: agent is notified but command proceeds."""
+
+    def test_warns_force_with_lease(self, capsys):
+        output, _ = run_hook("git push --force-with-lease origin feature/x")
+        assert parse_denial(output) is None  # not denied
+
+    def test_warns_closing_pr(self, capsys):
+        output, _ = run_hook("gh pr close 123")
+        assert parse_denial(output) is None  # not denied
\ No newline at end of file
-- 
2.45.2


From f2e161a7f76da5a5886989597071232d12cf59f3 Mon Sep 17 00:00:00 2001
From: Molecule AI Plugin-Dev <plugin-dev@agents.moleculesai.app>
Date: Sun, 10 May 2026 09:06:13 +0000
Subject: [PATCH 2/2] docs: record OFFSEC-002 resolution in known-issues.md

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 known-issues.md | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/known-issues.md b/known-issues.md
index 68b663e..0536239 100644
--- a/known-issues.md
+++ b/known-issues.md
@@ -10,7 +10,30 @@
 
 ## Recently Resolved
 
-*(No recently resolved issues.)*
+### [RESOLVED] OFFSEC-002: Token exfiltration patterns not blocked
+
+**Severity:** P0 (security)
+**Resolved in:** v1.0.1
+
+**Symptoms:** The PreToolUse:Bash hook blocked destructive commands (force push, DROP TABLE, rm -rf) but did NOT block token exfiltration patterns. An LLM prompt injection could instruct the agent to execute:
+- `cat ~/.gh_token`
+- `cat /tmp/.git-credentials-cache`
+- `env | grep token`
+
+**Cause:** The REFUSE list in `pre-bash-careful.py` only covered git/SQL/rm commands. Token file reads and env variable grep patterns were not covered.
+
+**Fix:** Added blocking for:
+- Direct token file reads (`.gh_token`, `.auth_token`, `.git-credentials-cache`, etc.)
+- `cat` of home-directory token paths (`~/.config/gh_token`, `/home/agent/.gh_token`)
+- `env | grep` for secrets (case-insensitive: token, api_key, secret, auth, password, passwd)
+- Generic credential file extensions in `cat` targets
+- curl/wget credential redirect exfil
+
+Also fixed: `rm -rf .git` check used `"/.git"` string search which never matched. Changed to regex `r"(^|\s)\.git(?:\s|$|/)"`.
+
+**Prevention:** New security-sensitive patterns must be reviewed during plugin review. Add token-exfil test cases to any hook touching credential paths.
+
+---
 
 ---
 
-- 
2.45.2