fix: use shallow clone to prevent reward hacking via git history

openhands-agent · openhands-agent · commit 157a4ffd1db0 · 2026-02-17T04:13:03.000Z
Use --depth 1 when cloning repositories to prevent agents from accessing
git history and exploiting it to retrieve original function implementations
that were stripped out.

This addresses a reward hacking vulnerability where agents can use
git log/diff/show commands to find and copy original implementations
instead of writing them from scratch.

For Commit0Spec, also fetch the specific env_setup_commit with --depth 1
before resetting to it, since shallow clone only gets the default branch tip.

Co-authored-by: openhands &lt;openhands@all-hands.dev&gt;
diff --git a/commit0/harness/spec.py b/commit0/harness/spec.py
@@ -114,9 +114,12 @@ def make_repo_script_list(self) -> list[str]:
         base_commit = self.instance["base_commit"]
 
         setup_commands = [
-            f"git clone -o origin https://github.com/{repo} {self.repo_directory}",
+            # Use --depth 1 for shallow clone to prevent agents from accessing
+            # git history and exploiting it to retrieve original implementations
+            f"git clone --depth 1 -o origin https://github.com/{repo} {self.repo_directory}",
             f"chmod -R 777 {self.repo_directory}",  # So nonroot user can run tests
             f"cd {self.repo_directory}",
+            f"git fetch --depth 1 origin {env_setup_commit}",
             f"git reset --hard {env_setup_commit}",
             # Remove the remote so the agent won't see newer commits.
             "git remote remove origin",
@@ -218,7 +221,9 @@ def make_repo_script_list(self) -> list[str]:
             specs["python"] = 3.7
 
         setup_commands = [
-            f"git clone -o origin https://github.com/{repo} {self.repo_directory}",
+            # Use --depth 1 for shallow clone to prevent agents from accessing
+            # git history and exploiting it to retrieve original implementations
+            f"git clone --depth 1 -o origin https://github.com/{repo} {self.repo_directory}",
             f"chmod -R 777 {self.repo_directory}",  # So nonroot user can run tests
             f"cd {self.repo_directory}",
             # Remove the remote so the agent won't see newer commits.
