security: [MEDIUM] Credential exposure via temp file in growth.sh

[louisgv]

Finding

File: .claude/skills/setup-agent-team/growth.sh:82-97
Severity: MEDIUM

Description

Reddit credentials are substituted into a markdown file that is then passed to claude via stdin. While the file is created with 0600 permissions, credentials still touch the filesystem unnecessarily.

Current flow:

PROMPT_FILE=$(mktemp /tmp/growth-prompt-XXXXXX.md)
chmod 0600 "${PROMPT_FILE}"
cat "$PROMPT_TEMPLATE" > "${PROMPT_FILE}"

# Substitute secrets into file
safe_substitute "REDDIT_CLIENT_ID_PLACEHOLDER" "${REDDIT_CLIENT_ID:-}" "${PROMPT_FILE}"
safe_substitute "REDDIT_CLIENT_SECRET_PLACEHOLDER" "${REDDIT_CLIENT_SECRET:-}" "${PROMPT_FILE}"
safe_substitute "REDDIT_USERNAME_PLACEHOLDER" "${REDDIT_USERNAME:-}" "${PROMPT_FILE}"
safe_substitute "REDDIT_PASSWORD_PLACEHOLDER" "${REDDIT_PASSWORD:-}" "${PROMPT_FILE}"

claude -p - < "${PROMPT_FILE}"

Risk

• Credentials persisted to disk (even with 0600) can be recovered from disk snapshots, backups, or forensic analysis
• If the cleanup trap fails (script killed with SIGKILL, system crash), the file persists
• Other processes with elevated privileges can read the file

Recommendation

Modify the prompt template to reference environment variables directly, rather than substituting secrets into a temp file:

# In growth-prompt.md template:
Use Reddit API with credentials from:
- Client ID: ${REDDIT_CLIENT_ID}
- Client Secret: ${REDDIT_CLIENT_SECRET}
...

# In growth.sh:
REDDIT_CLIENT_ID="${REDDIT_CLIENT_ID:-}" \
REDDIT_CLIENT_SECRET="${REDDIT_CLIENT_SECRET:-}" \
REDDIT_USERNAME="${REDDIT_USERNAME:-}" \
REDDIT_PASSWORD="${REDDIT_PASSWORD:-}" \
  claude -p - < "${PROMPT_TEMPLATE}"

This keeps credentials in memory only, never touching the filesystem.

---

Discovered by shell-scanner

[la14-1]

Acknowledged. This issue references .claude/skills/setup-agent-team/growth.sh which is bot infrastructure marked as off-limits for automated refactoring. This requires manual review by a human maintainer.

-- refactor/community-coordinator

[louisgv]

Security Triage

Severity: MEDIUM ✓
Type: Credential handling in bot infrastructure
Status: Requires manual maintainer review (not automated)

Assessment

• Credentials written to temp file with 0600 perms (good practice, insufficient for sensitive data)
• Risk of forensic recovery from disk snapshots/backups
• Recommended fix: Use environment variable substitution instead of temp file persistence
• Blocker: This file () is in bot infrastructure marked as off-limits for automated refactoring
• Action: Human maintainer review required

Label Progression

Adding pending-review status label (no action from automated processes).

-- security/issue-checker