fix: strip skill-injected env vars from ACP harness spawn env (#36280)#36316
Merged
vincentkoc merged 5 commits intoopenclaw:mainfrom Mar 6, 2026
Merged
fix: strip skill-injected env vars from ACP harness spawn env (#36280)#36316vincentkoc merged 5 commits intoopenclaw:mainfrom
vincentkoc merged 5 commits intoopenclaw:mainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a60ac95d1d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Contributor
Greptile SummaryThis PR fixes a credential-leak bug where skill-injected env vars (e.g., Key points:
Confidence Score: 5/5
Last reviewed commit: a60ac95 |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Skill apiKey entries (e.g., openai-image-gen with primaryEnv=OPENAI_API_KEY) are set on process.env during agent runs and only reverted after the run completes. ACP harnesses like Codex CLI inherit these vars, causing them to silently use API billing instead of their own auth (e.g., OAuth). The fix tracks which env vars are actively injected by skill overrides in a module-level Set (activeSkillEnvKeys) and strips them in resolveAcpClientSpawnEnv() before spawning ACP child processes. Fixes openclaw#36280
vincentkoc
force-pushed
the
fix/skill-apikey-leak-to-acp
branch
from
a60ac95 to
2894f9d
Compare
Member
|
Rebased this branch onto current The active diff is now just the ACP env-leak fix, targeted lifecycle coverage for skill-injected env keys, and the changelog entry with attribution. I also fixed the stale Local verification on the rebased branch:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2894f9da73
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
vincentkoc
added a commit
to BryanTegomoh/openclaw-fork
that referenced
this pull request
Mar 8, 2026
…aw#36280) (openclaw#36316) * fix: strip skill-injected env vars from ACP harness spawn env Skill apiKey entries (e.g., openai-image-gen with primaryEnv=OPENAI_API_KEY) are set on process.env during agent runs and only reverted after the run completes. ACP harnesses like Codex CLI inherit these vars, causing them to silently use API billing instead of their own auth (e.g., OAuth). The fix tracks which env vars are actively injected by skill overrides in a module-level Set (activeSkillEnvKeys) and strips them in resolveAcpClientSpawnEnv() before spawning ACP child processes. Fixes openclaw#36280 * ACP: type spawn env for stripped keys * Skills: cover active env key lifecycle * Changelog: note ACP skill env isolation * ACP: preserve shell marker after env stripping --------- Co-authored-by: Vincent Koc <[email protected]>
Saitop
pushed a commit
to NomiciAI/openclaw
that referenced
this pull request
Mar 8, 2026
…aw#36280) (openclaw#36316) * fix: strip skill-injected env vars from ACP harness spawn env Skill apiKey entries (e.g., openai-image-gen with primaryEnv=OPENAI_API_KEY) are set on process.env during agent runs and only reverted after the run completes. ACP harnesses like Codex CLI inherit these vars, causing them to silently use API billing instead of their own auth (e.g., OAuth). The fix tracks which env vars are actively injected by skill overrides in a module-level Set (activeSkillEnvKeys) and strips them in resolveAcpClientSpawnEnv() before spawning ACP child processes. Fixes openclaw#36280 * ACP: type spawn env for stripped keys * Skills: cover active env key lifecycle * Changelog: note ACP skill env isolation * ACP: preserve shell marker after env stripping --------- Co-authored-by: Vincent Koc <[email protected]>
16 tasks
jenawant
pushed a commit
to jenawant/openclaw
that referenced
this pull request
Mar 10, 2026
…aw#36280) (openclaw#36316) * fix: strip skill-injected env vars from ACP harness spawn env Skill apiKey entries (e.g., openai-image-gen with primaryEnv=OPENAI_API_KEY) are set on process.env during agent runs and only reverted after the run completes. ACP harnesses like Codex CLI inherit these vars, causing them to silently use API billing instead of their own auth (e.g., OAuth). The fix tracks which env vars are actively injected by skill overrides in a module-level Set (activeSkillEnvKeys) and strips them in resolveAcpClientSpawnEnv() before spawning ACP child processes. Fixes openclaw#36280 * ACP: type spawn env for stripped keys * Skills: cover active env key lifecycle * Changelog: note ACP skill env isolation * ACP: preserve shell marker after env stripping --------- Co-authored-by: Vincent Koc <[email protected]>
dhoman
pushed a commit
to dhoman/chrono-claw
that referenced
this pull request
Mar 11, 2026
…aw#36280) (openclaw#36316) * fix: strip skill-injected env vars from ACP harness spawn env Skill apiKey entries (e.g., openai-image-gen with primaryEnv=OPENAI_API_KEY) are set on process.env during agent runs and only reverted after the run completes. ACP harnesses like Codex CLI inherit these vars, causing them to silently use API billing instead of their own auth (e.g., OAuth). The fix tracks which env vars are actively injected by skill overrides in a module-level Set (activeSkillEnvKeys) and strips them in resolveAcpClientSpawnEnv() before spawning ACP child processes. Fixes openclaw#36280 * ACP: type spawn env for stripped keys * Skills: cover active env key lifecycle * Changelog: note ACP skill env isolation * ACP: preserve shell marker after env stripping --------- Co-authored-by: Vincent Koc <[email protected]>
senw-developers
pushed a commit
to senw-developers/va-openclaw
that referenced
this pull request
Mar 17, 2026
…aw#36280) (openclaw#36316) * fix: strip skill-injected env vars from ACP harness spawn env Skill apiKey entries (e.g., openai-image-gen with primaryEnv=OPENAI_API_KEY) are set on process.env during agent runs and only reverted after the run completes. ACP harnesses like Codex CLI inherit these vars, causing them to silently use API billing instead of their own auth (e.g., OAuth). The fix tracks which env vars are actively injected by skill overrides in a module-level Set (activeSkillEnvKeys) and strips them in resolveAcpClientSpawnEnv() before spawning ACP child processes. Fixes openclaw#36280 * ACP: type spawn env for stripped keys * Skills: cover active env key lifecycle * Changelog: note ACP skill env isolation * ACP: preserve shell marker after env stripping --------- Co-authored-by: Vincent Koc <[email protected]>
V-Gutierrez
pushed a commit
to V-Gutierrez/openclaw-vendor
that referenced
this pull request
Mar 17, 2026
…aw#36280) (openclaw#36316) * fix: strip skill-injected env vars from ACP harness spawn env Skill apiKey entries (e.g., openai-image-gen with primaryEnv=OPENAI_API_KEY) are set on process.env during agent runs and only reverted after the run completes. ACP harnesses like Codex CLI inherit these vars, causing them to silently use API billing instead of their own auth (e.g., OAuth). The fix tracks which env vars are actively injected by skill overrides in a module-level Set (activeSkillEnvKeys) and strips them in resolveAcpClientSpawnEnv() before spawning ACP child processes. Fixes openclaw#36280 * ACP: type spawn env for stripped keys * Skills: cover active env key lifecycle * Changelog: note ACP skill env isolation * ACP: preserve shell marker after env stripping --------- Co-authored-by: Vincent Koc <[email protected]>
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 20, 2026
…aw#36280) (openclaw#36316) (cherry picked from commit ae96a81)
alexey-pelykh
added a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 20, 2026
…aw#36280) (openclaw#36316) (#1733) (cherry picked from commit ae96a81) Co-authored-by: Drew Wagner <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #36280 — Skill
apiKeyentries leak as provider env vars (e.g.,OPENAI_API_KEY) to ACP harness child processes, causing Codex CLI to silently use API billing instead of OAuth.Root Cause
applySkillConfigEnvOverrides()sets skill API keys onprocess.env(e.g.,OPENAI_API_KEYfromopenai-image-gen'sprimaryEnv) at the start of an agent run and only reverts them in thefinallyblock after the run completes. During the run,resolveAcpClientSpawnEnv()spreadsprocess.envinto the child process env, so ACP harnesses like Codex CLI inherit the leaked keys.Fix
Track injected keys: Added a module-level
activeSkillEnvKeysSet inenv-overrides.tsthat tracks which env vars are currently injected by skill overrides. The set is populated when keys are applied and cleared when the reverter runs.Strip on ACP spawn: Extended
resolveAcpClientSpawnEnv()to accept an optionalstripKeysset. The call site increateAcpClient()passes the active skill env keys so they're stripped from the child process environment.No config changes needed: The fix is automatic — no user configuration required.
Changed Files
src/agents/skills/env-overrides.ts— AddedactiveSkillEnvKeystracking +getActiveSkillEnvKeys()exportsrc/acp/client.ts— ExtendedresolveAcpClientSpawnEnv()withstripKeysoption; call site passes skill env keyssrc/acp/client.test.ts— 2 new tests forstripKeysbehaviorsrc/agents/skills/env-overrides.test.ts— New test file forgetActiveSkillEnvKeys()Testing
All existing tests pass. New tests verify:
baseEnvis not mutated