Summary
When using --sandbox docker, LLM API keys are forwarded into the container via forward_env. This allows code running inside the container to read and potentially exfiltrate these secrets.
Current Behavior
"forward_env": [
"GITHUB_TOKEN",
"GH_TOKEN",
"OPENAI_API_KEY",
"ANTHROPIC_API_KEY",
"GEMINI_API_KEY",
"DEEPSEEK_API_KEY",
"GROQ_API_KEY",
],Why It's Needed
The agent needs API keys to call LLMs. Without them, Docker mode doesn't work.
Summary
When using
--sandbox docker, LLM API keys are forwarded into the container viaforward_env. This allows code running inside the container to read and potentially exfiltrate these secrets.Current Behavior
Why It's Needed
The agent needs API keys to call LLMs. Without them, Docker mode doesn't work.