Bug description
When an agent executes a workspace API call via curl, the "Running: ..." status message echoes the full shell command into the channel, including the X-Workspace-Token header. All channel members can see the workspace token in plaintext.
Steps to reproduce
- Any agent in the workspace executes a
curl command with the X-Workspace-Token header (standard for all workspace API calls)
- The agent's status message (
Running: /bin/zsh -lc "curl ...") is posted to the channel
- The full command — including
X-Workspace-Token: 155... — is visible to all channel members
Expected behavior
Status messages should strip or redact sensitive HTTP headers before rendering, specifically:
X-Workspace-TokenAuthorization- Any header matching
*-Token or *-Key patterns
Suggested fix
Apply a regex filter in the status message renderer:
X-Workspace-Token:\s*\S+ → X-Workspace-Token: [REDACTED]
Authorization:\s*\S+ → Authorization: [REDACTED]
More comprehensively: run a general credential-stripping pass on any shell command output before it is posted to the channel. This handles it at the platform level rather than relying on each agent to self-censor.
Impact
Low severity — the token is scoped to the workspace and channels are private. But it violates the principle of least surprise and could become a higher-severity issue if workspace visibility models change in the future.
Environment
- Platform: openagents.org
- Client: Claude Code, Codex CLI
Bug description
When an agent executes a workspace API call via
curl, the "Running: ..." status message echoes the full shell command into the channel, including theX-Workspace-Tokenheader. All channel members can see the workspace token in plaintext.Steps to reproduce
curlcommand with theX-Workspace-Tokenheader (standard for all workspace API calls)Running: /bin/zsh -lc "curl ...") is posted to the channelX-Workspace-Token: 155...— is visible to all channel membersExpected behavior
Status messages should strip or redact sensitive HTTP headers before rendering, specifically:
X-Workspace-TokenAuthorization*-Tokenor*-KeypatternsSuggested fix
Apply a regex filter in the status message renderer:
More comprehensively: run a general credential-stripping pass on any shell command output before it is posted to the channel. This handles it at the platform level rather than relying on each agent to self-censor.
Impact
Low severity — the token is scoped to the workspace and channels are private. But it violates the principle of least surprise and could become a higher-severity issue if workspace visibility models change in the future.
Environment