Summary
Right's provider model injects third-party credentials at the OpenShell proxy: the sandbox only ever sees an opaque placeholder env var (e.g. GITHUB_TOKEN=openshell:resolve:env:v…_GITHUB_TOKEN), and the proxy substitutes the real value into outbound requests after TLS termination. We verified that this substitution is keyed purely by env-var name and is not scoped to the owning provider's hosts.
Empirically verified against a live OpenShell v0.0.50 gateway (two throwaway providers, fake credentials, two public header-echo hosts):
- Holds (no exfil to the open internet): a placeholder sent to a non-provider host that travels through a raw
tls: skip tunnel — i.e. the entire public internet under the default permissive network policy — is not substituted. Only the inert placeholder string leaves the box. A compromised agent cannot exfiltrate a credential to an arbitrary internet host.
- Gap (cross-provider): provider A's placeholder, sent to provider B's TLS-terminated host, is substituted to A's real value. An agent with ≥2 attached credentialed providers (or an external L7-terminated MCP host) can cause provider A's token to be delivered to provider B's host.
This is a documented OpenShell limitation, not a Right bug. Per the OpenShell providers-v2 docs: "Credential confinement is NOT enforced at runtime … the proxy substitutes it based on environment variable name alone — not by target endpoint." "Endpoint and binary scoped credential injection" is an explicit OpenShell roadmap item — provider profile endpoints affect policy composition, but do not yet restrict which outbound requests receive credential injection.
Impact / current mitigations
- Bounded: agents cannot register or remove providers/MCP servers — the set of TLS-terminated hosts is operator-curated. The realistic exposure is a prompt-injected agent moving credential A to another host the operator already attached.
- The largest exfiltration vector (an arbitrary attacker-controlled internet host) is closed by the raw-tunnel behaviour above.
Action
- Track OpenShell's endpoint-scoped credential injection; adopt it (scope each provider's credential to its own endpoints) once it ships.
- Until then: documented in
README.md / docs/SECURITY.md; do not rely on provider-profile endpoints to confine credentials.
(Discovered while designing GitHub write-access provisioning.)
Summary
Right's provider model injects third-party credentials at the OpenShell proxy: the sandbox only ever sees an opaque placeholder env var (e.g.
GITHUB_TOKEN=openshell:resolve:env:v…_GITHUB_TOKEN), and the proxy substitutes the real value into outbound requests after TLS termination. We verified that this substitution is keyed purely by env-var name and is not scoped to the owning provider's hosts.Empirically verified against a live OpenShell
v0.0.50gateway (two throwaway providers, fake credentials, two public header-echo hosts):tls: skiptunnel — i.e. the entire public internet under the defaultpermissivenetwork policy — is not substituted. Only the inert placeholder string leaves the box. A compromised agent cannot exfiltrate a credential to an arbitrary internet host.This is a documented OpenShell limitation, not a Right bug. Per the OpenShell providers-v2 docs: "Credential confinement is NOT enforced at runtime … the proxy substitutes it based on environment variable name alone — not by target endpoint." "Endpoint and binary scoped credential injection" is an explicit OpenShell roadmap item — provider profile endpoints affect policy composition, but do not yet restrict which outbound requests receive credential injection.
Impact / current mitigations
Action
README.md/docs/SECURITY.md; do not rely on provider-profile endpoints to confine credentials.(Discovered while designing GitHub write-access provisioning.)