M-002: .env Secret Exposure Risk

[shrwnsan]

Severity: Medium

Location

agentbox:378-381, README documentation

Issue

Project recommends storing GH_TOKEN in .env file at project root, but .env is not in .gitignore. If committed, secrets are exposed to repository history.

Impact

Credential leakage if .env is accidentally committed.

Remediation

1. Add .env to project .gitignore template
2. Add warning in README about .env files and git
3. Consider adding pre-commit hook to reject .env commits

Reference

See docs/eval-001-security-review.md for full review.

---

🤖 Generated by Claude Code - GLM 4.7

[shrwnsan]

Review Assessment

Recommendation: Address with .gitignore + documentation

This is a common security pitfall that's easy to prevent:

Why fix this:

• High impact: Prevents accidental credential leakage to repository history
• Common mistake: Developers frequently commit .env files by accident
• Easy remediation: Simple changes with clear benefit
• Aligns with project philosophy: AgentBox already demonstrates security awareness

Suggested remediation:

Priority 1: Add to .gitignore
Add .env to the project's .gitignore file (or create one if it doesn't exist)

Priority 2: Document the risk
Add a warning section in the README near the .env configuration instructions:

⚠️ **Security Warning**: Never commit .env files to version control. 
Ensure .env is in your .gitignore before adding secrets.

Optional: Pre-commit hook
For users who need extra protection, suggest tools like git-secrets or gitleaks in the documentation, but this may be overkill for the main project scope.

---

Reviewed and generated by: Warp - Claude Sonnet 4.5

[shrwnsan]

Closing as out of scope.

Each individual project is responsible for its own .gitignore
configuration. The .env file is created in the target project
directory (e.g., ~/code/project/.env), not in the AgentBox
repository itself. Users should ensure their target projects
properly configure .gitignore before adding secrets.