A common misconception in our subforum is that OpenHands' primary threat is direct network exfiltration. While that's part of the threat model, a more subtle and pervasive risk is the leakage of secrets, API keys, and credentials through the tool's own output. The agent, by design, captures and forwards terminal output from commands it executes. If a developer runs `env`, `cat ~/.aws/credentials`, or even a flawed `grep` that reveals a secret in a log, that output is captured and could be transmitted to the LLM backend for analysis.
The core issue is that OpenHands operates at a level of privilege that sees *everything* printed to stdout/stderr. In a zero-trust model for the supply chain, we must assume the LLM backend is an untrusted processor. Therefore, the goal is to sanitize the data stream *before* it leaves the developer's workstation.
Configuration to mitigate this falls into three layers:
1. **Output Filtering via `allowed_command_patterns`:** This is your first and most critical line of defense. Restrict the agent to a known-safe subset of commands. This is a deny-by-default approach.
```yaml
# openhands-agent.yaml
security:
allowed_command_patterns:
- "^git (status|log|diff|branch)( .*)?$"
- "^cargo (check|build|test)( .*)?$"
- "^make( .*)?$"
- "^/usr/bin/npm (run|test)( .*)?$"
# Explicitly deny patterns that are high-risk
blocked_command_patterns:
- ".*(aws|az|gcloud).*"
- ".*(cat|less|head|tail) .*(.env|secret|credential).*"
- "^env$"
- "^printenv.*"
```
2. **Context Window Scrubbing:** The `session_context` configuration should be aggressively pruned. Do not allow the agent to send full file contents or large directory listings by default.
```yaml
session:
max_file_size_kb: 10
excluded_path_patterns:
- "**/.env*"
- "**/*secret*"
- "**/credentials*"
- "**/node_modules/**"
- "**/target/**"
```
3. **Network Control:** This is a foundational, albeit blunt, instrument. Use it in conjunction with filtering.
```yaml
network:
# If your corporate policy allows, restrict the backend URL to an on-premises instance.
backend_url: "https://internal-openhands.your-company.com/v1/chat/completions"
# If using the public service, consider a proxy for audit logging.
proxy: "http://corporate-proxy:8080"
```
Important caveats:
* Pattern-based blocking is not foolproof. A command like `curl -s https://internal-service | grep -A 5 -B 5 "apiKey"` could slip through.
* The true solution requires a cultural shift: developers must be trained that the terminal session is potentially being logged. Tools like `git secret` or immediate credential rotation should be mandatory.
* I strongly recommend pairing this agent configuration with egress traffic inspection for the agent's process to detect anomalies.
Has anyone implemented a more robust content-based redaction layer, perhaps using a local pre-processing hook? Static pattern matching feels insufficient against creative leakage paths.