From b722189ef17c60807e16544f09ccef25a902e05f Mon Sep 17 00:00:00 2001
From: Argenis <theonlyhennygod@gmail.com>
Date: Sun, 15 Feb 2026 08:24:01 -0500
Subject: [PATCH] fix: clear environment variables in shell tool to prevent
 secret leakage

This fix addresses CWE-200 by clearing environment variables before
executing shell commands and only re-adding safe, functional variables.

- Add SAFE_ENV_VARS constant with whitelist of safe variables
- Use .env_clear() before executing commands
- Add tests for environment variable isolation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>