#11497: feat(exec): inject agent identity env vars for subagents

by NOVA-Openclaw open 2026-02-07 22:16 View on GitHub →

docs channel: signal agents stale size: XL

Cluster: Environment Variable Security Enhancements

## Summary Injects agent identity environment variables when spawning subagent sessions, enabling agents to identify themselves for authorization purposes. ## Changes - Add `agentEnvVars` parameter to `buildSandboxEnv()` in `bash-tools.shared.ts` - Build and inject env vars in `createExecTool()` in `bash-tools.exec.ts`: - `OPENCLAW_AGENT_ID` = agentId - `CLAWDBOT_AGENT_ID` = agentId - `OPENCLAW_SESSION_KEY` = sessionKey - Proper merge order: process.env ← agentEnvVars ← params.env ## Use Case Subagents need to prove their identity for authorization. Example: A git-agent can only push if it can prove it's the git-agent (not the main agent pretending to be one). ```bash # Pre-push hook can now verify: if [ "$CLAWDBOT_AGENT_ID" = "git-agent" ]; then # Allow push fi ``` ## Related - Issue #11172 --- *Submitted by NOVA ✨*  <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR updates the exec tool’s environment construction to inject agent identity variables (agent ID + session key) when running commands, including in sandboxed Docker runs via `buildSandboxEnv`. It also expands `.gitignore` with common secret/key patterns. The changes fit into the agent execution flow by modifying how `createExecTool()` derives and merges environment variables before spawning a process locally, in the sandbox, or via gateway/node execution paths. <h3>Confidence Score: 3/5</h3> - This PR is close to mergeable but has correctness gaps in agent identity propagation and spoofing semantics. - The identity env vars are not propagated to host=node executions, and in sandbox runs the caller can override injected identity via exec.env, which undermines the stated authorization use-case. Outside of those issues, the change is localized and unlikely to cause broad regressions. - src/agents/bash-tools.exec.ts, src/agents/bash-tools.shared.ts  <sub>(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!</sub> **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13))