Add guidance to avoid exposing raw secret values in conversation #1855
Conversation
Update system prompt to instruct agents to never print, echo, or view the full value of secrets. Since conversation history may be logged or shared, exposing raw secret values could compromise security. Agents should always pass secrets by reference using environment variables. Co-authored-by: openhands <openhands@all-hands.dev>
Coverage Report •
|
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
Code Review Summary
This PR addresses an important security concern, but the implementation introduces contradictory guidance that could confuse agents. The main issues: (1) conflicting examples about echoing tokens, (2) confusing "pass by reference" terminology, and (3) weak test coverage. See inline comments for specific suggestions.
| @@ -30,6 +30,7 @@ You can also directly look up a skill's full content by reading its location pat | |||
| * How to use secrets: Simply reference the secret key in your command (e.g., `echo ${GITHUB_TOKEN:0:8}` or `curl -H "Authorization: Bearer $API_KEY" https://api.example.com`). The system will detect the key name in your command text and export it as environment variable before it executes your command. | |||
There was a problem hiding this comment.
🟠 Important: This line shows echo ${GITHUB_TOKEN:0:8} as a valid example, but line 33 says "Never attempt to print, echo, or otherwise view the full value of secrets (e.g., avoid echo $GITHUB_TOKEN)".
While technically you distinguish between "partial" (first 8 chars) and "full" value, the guidance is confusing because:
- Line 33 says "Never attempt to print, echo, or otherwise view" which sounds absolute
- Users might think this example is now wrong
- The real distinction (debugging partial values vs. viewing full secrets) is unclear
Suggestion: Either remove the echo ${GITHUB_TOKEN:0:8} example entirely, or explicitly clarify in line 33 that viewing prefixes for debugging is acceptable but viewing the full value is not.
| * How to use secrets: Simply reference the secret key in your command (e.g., `echo ${GITHUB_TOKEN:0:8}` or `curl -H "Authorization: Bearer $API_KEY" https://api.example.com`). The system will detect the key name in your command text and export it as environment variable before it executes your command. | ||
| * Secret detection: The system performs case-insensitive matching to find secret keys in your command text. If a registered secret key appears anywhere in your command, its value will be made available as an environment variable. | ||
| * Security: Secret values are automatically masked in command output to prevent accidental exposure. You will see `<secret-hidden>` instead of the actual secret value in the output. | ||
| * Avoid exposing raw secrets: Never attempt to print, echo, or otherwise view the full value of secrets (e.g., avoid `echo $GITHUB_TOKEN`). The conversation history may be logged or shared, and exposing raw secret values could compromise security. Always pass secrets by reference using environment variables. |
There was a problem hiding this comment.
🟠 Important: The phrase "Always pass secrets by reference using environment variables" is confusing because:
- The secrets ARE already environment variables
- "Pass by reference" is programming language terminology that doesn't apply to shell environment variables
- It's unclear what action this is recommending
Suggestion: Rephrase to something clearer like:
* Avoid exposing raw secrets: Never echo or print the full value of secrets to view them (e.g., avoid `echo $GITHUB_TOKEN`). The conversation history may be logged or shared, and exposing raw secret values could compromise security. Instead, use secrets directly in your commands (e.g., in curl headers, git URLs) where they serve their intended purpose.
| * Secret detection: The system performs case-insensitive matching to find secret keys in your command text. If a registered secret key appears anywhere in your command, its value will be made available as an environment variable. | ||
| * Security: Secret values are automatically masked in command output to prevent accidental exposure. You will see `<secret-hidden>` instead of the actual secret value in the output. | ||
| * Avoid exposing raw secrets: Never attempt to print, echo, or otherwise view the full value of secrets (e.g., avoid `echo $GITHUB_TOKEN`). The conversation history may be logged or shared, and exposing raw secret values could compromise security. Always pass secrets by reference using environment variables. | ||
| * Refreshing expired secrets: Some secrets (like GITHUB_TOKEN) may be updated periodically or expire over time. If a secret stops working (e.g., authentication failures), try using it again in a new command - the system should automatically use the refreshed value. For example, if GITHUB_TOKEN was used in a git remote URL and later expired, you can update the remote URL with the current token: `git remote set-url origin https://${GITHUB_TOKEN}@github.com/username/repo.git` to pick up the refreshed token value. |
There was a problem hiding this comment.
🟡 Suggestion: This example also technically exposes the token value, since https://${GITHUB_TOKEN}@github.com/username/repo.git will:
- Appear in git remote configs
- Potentially appear in process lists
- Be visible in shell history
This seems to contradict the guidance in line 33 about not exposing secrets. Consider adding a note that this is a necessary exception for git authentication, or showing an alternative like using credential helpers.
Note: This is a pre-existing issue in the template, not introduced by this PR, but worth addressing for consistency.
|
Looks like there are a few issues preventing this PR from being merged!
If you'd like me to help, just leave a comment, like Feel free to include any additional details that might help me get this PR into a better state. You can manage your notification settings |
enyst
left a comment
enyst
left a comment
There was a problem hiding this comment.
Could you please tell, do I understand correctly, the issue is that the agent printed a partial secret, e.g. the first 4 or the first 8 characters?
|
@enyst printing partial secret is ok-ish, this basically try to discourage the agent from doing |
|
@OpenHands please address the unresolved review comments here - make sure all tests pass before you push |
|
I'm on it! xingyaoww can track my progress at all-hands.dev |
- Remove confusing 'pass by reference' terminology - Remove echo example from 'How to use secrets' to avoid contradiction - Clarify that secrets should be used directly in commands (curl headers, git URLs) - Improve test to verify guidance is within CUSTOM_SECRETS section
|
I've addressed all the review comments from PR #1855 and pushed the changes. Here's a summary: Changes Made1. Template (
|
openhands-sdk/openhands/sdk/context/prompts/templates/system_message_suffix.j2
Outdated
Show resolved
Hide resolved
enyst
left a comment
enyst
left a comment
There was a problem hiding this comment.
Worth trying IMHO.
On the scenario it’s fixing, what LLM was it?
…essage_suffix.j2 Co-authored-by: Engel Nyst <engel.nyst@gmail.com>
|
@enyst i think it didn't print the full key this time (it was opus), but i did remember sonnet printed a full key at some point, so couldn't hurt to get this in |
4 participants
Summary
This PR adds guidance to the system prompt instructing agents to avoid viewing or exposing raw secret/token values.
Motivation
Conversation history may be logged, stored, or shared (e.g., for debugging, sharing sessions, or review). If an agent prints or echoes the full value of a secret (e.g.,
echo $GITHUB_TOKEN), those raw values could be exposed in the conversation logs, compromising security.This change was discussed in a slack thread when an agent revealed the prefix of a GitHub token when asked if it had access to the token.
Changes
Updated
system_message_suffix.j2template to include new guidance:Added test assertions to verify the new guidance is included in the system message suffix when secrets are configured.
Testing
test_agent_context.py- all pass@xingyaoww can click here to continue refining the PR
Agent Server images for this PR
• GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server
Variants & Base Images
eclipse-temurin:17-jdknikolaik/python-nodejs:python3.13-nodejs22golang:1.21-bookwormPull (multi-arch manifest)
# Each variant is a multi-arch manifest supporting both amd64 and arm64 docker pull ghcr.io/openhands/agent-server:47b6ba8-pythonRun
All tags pushed for this build
About Multi-Architecture Support
47b6ba8-python) is a multi-arch manifest supporting both amd64 and arm6447b6ba8-python-amd64) are also available if needed