Secrets are exposed to plugins and subprocesses via environment variables #51

New issue

Closed

opened 2026-02-22 06:36:30 +00:00 by nazim · 1 comment

nazim commented

2026-02-22 06:36:30 +00:00

Contributor

Problem

Cobot currently has no secret management. Credentials (API keys, bot tokens, wallet keys) live in environment variables or config files and are accessible to:

Every plugin — any plugin can read os.environ["TELEGRAM_BOT_TOKEN"] or any other secret, regardless of whether it needs it
Every subprocess — exec calls, shell tools, and scripts inherit the full environment including all secrets
LLM output — if the model accidentally echoes a secret, nothing catches it before it reaches Telegram/Nostr/logs

This means a single misbehaving plugin, a prompt injection that triggers a tool call, or even a careless env command can leak every credential the agent has.

What we want

Plugins should only access the secrets they actually need
Subprocesses should never see raw credentials
Outbound messages should be scanned for accidental secret leakage
Secrets should be encrypted at rest, decrypted only in RAM at runtime

Prior art

IronClaw (nearai/ironclaw) — Rust agent with WASM-sandboxed tools. Secrets injected at host boundary, never exposed to tool code. Leak detection on all outputs.
avault — NIP-44 encrypted vault with NIP-46 remote signing (operator phone as hardware key). Secrets in RAM only while daemon runs. Built as a standalone tool, not yet integrated into cobot.

Impact

Without this, cobot cannot safely:

Run untrusted or third-party plugins
Execute arbitrary tool commands from LLM decisions
Operate in multi-user or DVM scenarios where external job requests trigger tool execution

## Problem Cobot currently has no secret management. Credentials (API keys, bot tokens, wallet keys) live in environment variables or config files and are accessible to: 1. **Every plugin** — any plugin can read `os.environ["TELEGRAM_BOT_TOKEN"]` or any other secret, regardless of whether it needs it 2. **Every subprocess** — `exec` calls, shell tools, and scripts inherit the full environment including all secrets 3. **LLM output** — if the model accidentally echoes a secret, nothing catches it before it reaches Telegram/Nostr/logs This means a single misbehaving plugin, a prompt injection that triggers a tool call, or even a careless `env` command can leak every credential the agent has. ### What we want - Plugins should only access the secrets they actually need - Subprocesses should never see raw credentials - Outbound messages should be scanned for accidental secret leakage - Secrets should be encrypted at rest, decrypted only in RAM at runtime ### Prior art - **IronClaw** ([nearai/ironclaw](https://github.com/nearai/ironclaw)) — Rust agent with WASM-sandboxed tools. Secrets injected at host boundary, never exposed to tool code. Leak detection on all outputs. - **avault** — NIP-44 encrypted vault with NIP-46 remote signing (operator phone as hardware key). Secrets in RAM only while daemon runs. Built as a standalone tool, not yet integrated into cobot. ### Impact Without this, cobot cannot safely: - Run untrusted or third-party plugins - Execute arbitrary tool commands from LLM decisions - Operate in multi-user or DVM scenarios where external job requests trigger tool execution