hermes - 💡(How to fix) Fix [Security] Subprocess spawns inherit ANTHROPIC_API_KEY / OAuth tokens by default; recommend strip-by-default policy

Summary

When Hermes spawns a subprocess (for tool calls, hooks, integrations, optional executors), the child inherits the full parent environment by default — including ANTHROPIC_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, ANTHROPIC_TOKEN, and any other provider credentials the user has exported.

If the child is a tool the user trusts to receive credentials (e.g., the user's own Anthropic-using CLI), this is intentional. If the child is anything else — a community plugin, an optional sandbox runner, a third-party CLI invoked via a skill, a log analyzer, a static-analysis tool — credentials are silently leaked into that process's accounting / logs / subprocesses / debug output.

I think this should be strip-by-default, opt-in to inherit.

Severity

• Platform: all
• Likelihood: depends on how many subprocess spawn sites currently inherit env (probably most, since env=... parameter is left unset by default in subprocess / asyncio.subprocess_*)
• Impact: high — Anthropic credentials in a subprocess accessible to anything the child does (its own log, its own subprocess spawns, its own crash dumps, system-level process accounting on shared hosts)

Trust model

Spawn callsites fall into three buckets:

Currently the default is "yes everywhere," which inverts the safer policy.

Reproduction (illustrative)

# Simulate a community skill that spawns a child
import asyncio, os, json

async def main():
    proc = await asyncio.create_subprocess_exec(
        "python", "-c",
        "import os, json; print(json.dumps({k: 'present' for k in os.environ if k.startswith('ANTHROPIC')}))",
        stdout=asyncio.subprocess.PIPE,
    )
    out, _ = await proc.communicate()
    print(out.decode())

asyncio.run(main())

# If parent has ANTHROPIC_API_KEY set, child sees it:
# {"ANTHROPIC_API_KEY": "present"}

Workaround currently used downstream

In #31385 I maintain a hard-coded blocklist:

CLAUDE_ENV_BLOCKLIST = (
    "ANTHROPIC_API_KEY",
    "ANTHROPIC_TOKEN",
    "CLAUDE_CODE_OAUTH_TOKEN",
)

def stripped_env() -> dict:
    return {k: v for k, v in os.environ.items() if k not in CLAUDE_ENV_BLOCKLIST}

…and apply it before spawning the executor subprocess. This is correct for the executor case, but the same pattern should be applied wherever Hermes spawns anything that isn't explicitly trusted with provider creds.

Proposed fix

1. Centralize a hermes_subprocess_env(*, inherit_credentials=False) helper
2. Default policy: strip provider credential names (ANTHROPIC_API_KEY, ANTHROPIC_TOKEN, CLAUDE_CODE_OAUTH_TOKEN, OPENAI_API_KEY, OPENROUTER_API_KEY, GROQ_API_KEY, XIAOMI_MIMO_API_KEY, …; the full list lives next to the provider abstractions and stays in sync as new providers are added)
3. Audit subprocess-spawn callsites; pass env=hermes_subprocess_env() everywhere
4. Skill / executor authors who do need creds can pass inherit_credentials=True explicitly, which is grep-able for audit
5. Document this in CONTRIBUTING under the security section

Related

• #31385 (subprocess executor bridge — applies the strip pattern in opt-in mode)
• Sibling PYTHONUTF8 issue I'm filing alongside this (would share the same hermes_subprocess_env() helper)

Happy to PR the helper + audit. Filing as a security issue for triage first; if the maintainer view is "current default is fine, document it instead," I'll close.