molecule-ai/molecule-ai-plugin-molecule-careful-bash
38
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
fix/pycache-gitignore
molecule-ai-plugin-molecule.../known-issues.md
Molecule AI Plugin-Dev 70a7acda2a
All checks were successful
CI / validate (push) Successful in 57s
Details
CI / validate (pull_request) Successful in 1m14s
Details
security: block token exfiltration patterns (OFFSEC-002) (#3) 
[sdk-lead-agent] P0 security: blocks LLM-prompt-injection token exfil — token file reads (.gh_token, .auth_token, .git-credentials-cache), env|grep secrets, curl/wget credential redirects. Also fixes latent bug where rm -rf .git guard used substring match that never fired (now regex). 210 lines of unit tests, CI green on push+PR. Followup needed: gitignore __pycache__/. Approved + merged.
Co-authored-by: Molecule AI Plugin-Dev <plugin-dev@agents.moleculesai.app>
Co-committed-by: Molecule AI Plugin-Dev <plugin-dev@agents.moleculesai.app>
2026-05-10 09:18:41 +00:00

2.3 KiB
Raw Permalink Blame History

Known Issues — molecule-careful-bash

Active Issues

(None currently open. This section is updated when issues are filed.)

Recently Resolved

[RESOLVED] OFFSEC-002: Token exfiltration patterns not blocked

Severity: P0 (security) Resolved in: v1.0.1

Symptoms: The PreToolUse:Bash hook blocked destructive commands (force push, DROP TABLE, rm -rf) but did NOT block token exfiltration patterns. An LLM prompt injection could instruct the agent to execute:

  • cat ~/.gh_token
  • cat /tmp/.git-credentials-cache
  • env | grep token

Cause: The REFUSE list in pre-bash-careful.py only covered git/SQL/rm commands. Token file reads and env variable grep patterns were not covered.

Fix: Added blocking for:

  • Direct token file reads (.gh_token, .auth_token, .git-credentials-cache, etc.)
  • cat of home-directory token paths (~/.config/gh_token, /home/agent/.gh_token)
  • env | grep for secrets (case-insensitive: token, api_key, secret, auth, password, passwd)
  • Generic credential file extensions in cat targets
  • curl/wget credential redirect exfil

Also fixed: rm -rf .git check used "/.git" string search which never matched. Changed to regex r"(^|\s)\.git(?:\s|$|/)".

Prevention: New security-sensitive patterns must be reviewed during plugin review. Add token-exfil test cases to any hook touching credential paths.

How to Update This File

When a new issue is identified:

  1. Add it under Active Issues using the template below
  2. Include: symptom, cause (if known), workaround
  3. When fixed, move to Recently Resolved and note the fix version

Issue Template

## [TICKET-NUMBER] <Short Title>

**Severity:** P0 / P1 / P2 / P3
**Status:** Workaround / Fix in progress / Fix available
**Affected versions:** All / vX.Y.Z+

**Symptoms:**
**Cause:**
**Workaround:**
**Fix (if available):**

Severity Definitions

Level Description
P0 Destructive command passes through; no block
P1 Hook misidentifies safe command as destructive (false positive)
P2 Command warned but not blocked (WARN instead of REFUSE)
P3 Cosmetic or documentation issue

Reporting

Use the Molecule-AI/internal issue tracker. Tag with plugin-molecule-careful-bash.