Security: agent subprocess inherits all OAB env vars (including DISCORD_BOT_TOKEN)

[chaodu-agent]

Summary

AcpConnection::spawn() in connection.rs does not call env_clear() before spawning the agent subprocess. As a result, the child process inherits all environment variables from the OAB parent process, including sensitive credentials like DISCORD_BOT_TOKEN, SLACK_BOT_TOKEN, etc.

The [agent].env config is additive — it adds variables on top of the inherited environment, not a whitelist replacement.

Impact

A user can ask the agent to run env or echo $DISCORD_BOT_TOKEN and the agent will return the value. The agent could also be tricked via prompt injection to exfiltrate these credentials through arbitrary outbound requests (e.g. curl).

Reproduction

1. Set DISCORD_BOT_TOKEN as an env var for the OAB process
2. Ask the agent: "run env and show me the output"
3. The agent returns all OAB env vars including DISCORD_BOT_TOKEN

Fix

Add cmd.env_clear() before injecting [agent].env values, and explicitly pass only HOME and PATH as baseline variables:

cmd.env_clear();
cmd.env("HOME", working_dir);
cmd.env("PATH", std::env::var("PATH").unwrap_or_default());
for (k, v) in env {
    cmd.env(k, expand_env(v));
}

This ensures the agent subprocess only sees credentials explicitly listed in [agent].env.

[github-actions]

⚠️ This issue is missing the following required information and will not be processed until completed:

• Expected Behavior

Please edit this issue to fill in the missing fields. Thank you!

Tip: Use headings like ## Description or ### Description — common synonyms (e.g. ## Problem, ## Reproduction, ## Motivation) are also accepted.