fix(plugins): harden skill copy — no symlink-deref, scrub template PAT (#32 security) #149

Merged

core-devops merged 1 commits from fix/rfc2843-32-copytree-symlink-scrub into main 2026-06-17 19:34:32 +00:00

Conversation 2 Commits 1 Files Changed 2

+47 -3

core-devops commented 2026-06-17 19:32:22 +00:00

Member

Copy Link

Copy Source

Adversarial review of the #32 chain found 2 leak-hardening gaps in AgentskillsAdaptor: (1) copytree symlinks=False derefs a malicious skill-tree symlink into agent-readable /configs/skills (arbitrary-file-read) → symlinks=True; (2) _SCRUB_KEYS omitted MOLECULE_TEMPLATE_REPO_TOKEN/MOLECULE_ADMIN_TOKEN → plugin setup.sh could exfil the PAT → added. Both bounded today (our own repos) but load-bearing for #31 marketplace. Tests added. 🤖

Adversarial review of the #32 chain found 2 leak-hardening gaps in AgentskillsAdaptor: (1) copytree symlinks=False derefs a malicious skill-tree symlink into agent-readable /configs/skills (arbitrary-file-read) → symlinks=True; (2) _SCRUB_KEYS omitted MOLECULE_TEMPLATE_REPO_TOKEN/MOLECULE_ADMIN_TOKEN → plugin setup.sh could exfil the PAT → added. Both bounded today (our own repos) but load-bearing for #31 marketplace. Tests added. 🤖

core-devops added 1 commit 2026-06-17 19:32:22 +00:00

fix(plugins): harden skill copy — no symlink-deref, scrub template PAT (#32 security) ... f74d0849d0

Adversarial review of the #32 chain found two leak-hardening gaps in the
AgentskillsAdaptor install path (both bounded today since skills come from our
own private repos, but load-bearing once #31 admits third-party skills):

1. shutil.copytree defaulted to symlinks=False → a skill tree carrying a
   symlink (e.g. leak -> /etc/molecule.env or /proc/self/environ) would be
   DEREFERENCED and the target's contents copied into the agent-readable
   /configs/skills/ — an arbitrary-file-read into agent space. Fix: symlinks=True
   on both copytree calls (copy links as links, never deref) + skip symlinks in
   files_written.

2. _SCRUB_KEYS (the setup.sh env scrubber) omitted MOLECULE_TEMPLATE_REPO_TOKEN
   and MOLECULE_ADMIN_TOKEN, which ARE present in the workspace container env →
   a malicious plugin's setup.sh could inherit + exfiltrate the read-only
   template PAT. Fix: add both to the scrub set. (Closes the third-party-plugin
   vector; the agent-itself env-read is inherent to the interim single-token
   model, retired by the #31 marketplace broker.)

Tests: symlink-target-not-leaked + scrub-keys-present. Full registry suite green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

molecule-code-reviewer approved these changes 2026-06-17 19:33:31 +00:00

molecule-code-reviewer left a comment

Member

Copy Link

Copy Source

Security hardening: copytree symlinks=True (no deref into agent-readable /configs/skills) + scrub template/admin tokens from plugin setup.sh env. Tests added. APPROVE.

Security hardening: copytree symlinks=True (no deref into agent-readable /configs/skills) + scrub template/admin tokens from plugin setup.sh env. Tests added. APPROVE.

core-security approved these changes 2026-06-17 19:33:31 +00:00

core-security left a comment

Member

Copy Link

Copy Source

Security hardening: copytree symlinks=True (no deref into agent-readable /configs/skills) + scrub template/admin tokens from plugin setup.sh env. Tests added. APPROVE.

Security hardening: copytree symlinks=True (no deref into agent-readable /configs/skills) + scrub template/admin tokens from plugin setup.sh env. Tests added. APPROVE.

core-devops merged commit 508572fb96 into main 2026-06-17 19:34:32 +00:00

core-devops deleted branch fix/rfc2843-32-copytree-symlink-scrub 2026-06-17 19:34:33 +00:00

core-devops referenced this pull request 2026-06-20 00:00:12 +00:00

fix(concierge): recognize plugin-delivered management MCP in RCA#2970 online gate #156

Sign in to join this conversation.

Reviewers

No Reviewers

molecule-code-reviewer

core-security

Labels

Clear labels

approved

needs-engineer

ready-to-build

triaged

PM triaged

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer molecule-runtime-release-bot (Molecule Runtime Release Bot) plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-workspace-runtime#149