[Claimed #1777] fix: add variable substitution to keys tool#1813
Closed
github-actions[bot] wants to merge 2 commits intomainfrom
Closed
[Claimed #1777] fix: add variable substitution to keys tool#1813github-actions[bot] wants to merge 2 commits intomainfrom
github-actions[bot] wants to merge 2 commits intomainfrom
Conversation
The `keys` tool with `method: "type"` was not calling `substituteVariables()` before typing, so `%variableName%` tokens were typed literally instead of being resolved. This is easy to trigger when the agent clears a field (Ctrl+A → Delete) then types a variable value — it stays on the `keys` tool for the whole flow. - Accept `variables` parameter in `keysTool` (matching `typeTool`) - Call `substituteVariables()` before `page.type()` in the "type" branch - Pass `variables` to `keysTool` in `createAgentTools` - Return original token in result to avoid exposing sensitive values
Matches the pattern used by typeTool and actTool so the LLM agent knows %variableName% syntax is available when variables are present.
github-actions
bot
added
external-contributor
|
Contributor
Author
|
This mirrored PR was closed without merge. The original external PR #1777 has been reopened and relabeled as awaiting approval. |
2 tasks
Contributor
Greptile SummaryThis PR fixes variable substitution ( Key changes:
Issue found: The Confidence Score: 3/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A["keysTool called\n(v3, variables?)"] --> B{variables\nprovided?}
B -- Yes --> C["Build valueDescription\nwith available var names"]
B -- No --> D["Use default\nvalueDescription"]
C --> E["Return tool(...)"]
D --> E
E --> F["execute called\n(method, value, repeat)"]
F --> G{method?}
G -- type --> H["substituteVariables(value, variables)\n→ actualValue"]
H --> I["page.type(actualValue, delay:100)\n× times"]
I --> J["recordAgentReplayStep\nwith original value token"]
J --> K["return { success, method,\nvalue ← original token, times }"]
G -- press --> L["page.keyPress(value, delay:100)\n× times\n⚠️ NO substitution"]
L --> M["recordAgentReplayStep"]
M --> N["return { success, method, value, times }"]
Last reviewed commit: 9c30883 |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
+9
to
+11
| const valueDescription = hasVariables | ||
| ? `The text to type, or the key/combo to press (Enter, Tab, Cmd+A). Use %variableName% to substitute a variable value. Available: ${Object.keys(variables).join(", ")}` | ||
| : "The text to type, or the key/combo to press (Enter, Tab, Cmd+A)"; |
Contributor
There was a problem hiding this comment.
Variable substitution description applies to both methods
The valueDescription hints that %variableName% substitution is available for the value field, but substituteVariables() is only called inside the method === "type" branch (line 43). If the LLM reads this description and uses method="press" with a token like %apiKey%, the literal string %apiKey% will be forwarded directly to page.keyPress(), which will either fail or press unexpected keys — the substitution silently does not occur.
The description should be scoped to clarify that variable substitution only works with method="type":
Suggested change
| const valueDescription = hasVariables | |
| ? `The text to type, or the key/combo to press (Enter, Tab, Cmd+A). Use %variableName% to substitute a variable value. Available: ${Object.keys(variables).join(", ")}` | |
| : "The text to type, or the key/combo to press (Enter, Tab, Cmd+A)"; | |
| const valueDescription = hasVariables | |
| ? `The text to type (method="type"), or the key/combo to press (method="press") (Enter, Tab, Cmd+A). When using method="type", use %variableName% to substitute a variable value. Available: ${Object.keys(variables).join(", ")}` | |
| : "The text to type, or the key/combo to press (Enter, Tab, Cmd+A)"; |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 2 files
Confidence score: 2/5
- There is a high-confidence security risk in
packages/core/lib/v3/agent/tools/keys.ts: on the error path, substituted secret values can be exposed to the LLM instead of staying as%variableName%tokens. packages/core/lib/v3/agent/tools/keys.tsalso has a behavior mismatch wherevalueDescriptionadvertises%variableName%substitution, butsubstituteVariables()only runs formethod === "type", so other methods may fail or behave inconsistently.- Given the concrete secret-leak impact (severity 7/10, confidence 8/10) plus a second medium-severity logic issue, this looks risky to merge without a fix.
- Pay close attention to
packages/core/lib/v3/agent/tools/keys.ts- sanitize exception paths to avoid leaking resolved secrets and align variable substitution behavior with the documented tool contract.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/core/lib/v3/agent/tools/keys.ts">
<violation number="1" location="packages/core/lib/v3/agent/tools/keys.ts:10">
P2: The `valueDescription` tells the LLM that `%variableName%` substitution is available for the `value` field, but `substituteVariables()` is only called in the `method === "type"` branch. If the agent uses `method="press"` with a variable token (e.g., `%apiKey%`), the literal `%apiKey%` string will be passed to `page.keyPress()`, which will either fail or press unintended keys. Scope the variable-substitution hint to `method="type"` only.</violation>
<violation number="2" location="packages/core/lib/v3/agent/tools/keys.ts:45">
P1: Custom agent: **Exception and error message sanitization**
The error path can leak substituted secret values to the LLM. The success path correctly returns the original `%variableName%` token, but if `page.type(actualValue)` throws, the catch block returns the raw `(error as Error).message` without sanitizing out the substituted secret. Wrap the `page.type()` call so that any error in this branch returns a sanitized message that uses the original `value` token, not `actualValue`.</violation>
</file>
Architecture diagram
sequenceDiagram
participant LLM as Agent (LLM)
participant Tool as keysTool
participant Utils as substituteVariables()
participant Browser as Playwright Page
participant Recorder as V3 Recorder
Note over LLM,Tool: Tool initialized with available "variables" map
LLM->>Tool: execute({ method, value, repeat })
alt method === "type"
Tool->>Utils: NEW: substituteVariables(value, variables)
Utils-->>Tool: actualValue (e.g. "secret123")
loop repeat count
Tool->>Browser: CHANGED: page.type(actualValue)
end
Tool->>Recorder: recordAgentReplayStep(value)
Note right of Tool: NEW: instruction uses original token <br/> to prevent secret leakage in logs
Tool-->>LLM: { success: true, value }
Note right of Tool: NEW: returns original token (e.g. %password%) <br/> to LLM context
else method === "press"
loop repeat count
Tool->>Browser: page.press(value)
end
Tool->>Recorder: recordAgentReplayStep(value)
Tool-->>LLM: { success: true, value }
end
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| const actualValue = substituteVariables(value, variables); | ||
| for (let i = 0; i < times; i++) { | ||
| await page.type(value, { delay: 100 }); | ||
| await page.type(actualValue, { delay: 100 }); |
Contributor
There was a problem hiding this comment.
P1: Custom agent: Exception and error message sanitization
The error path can leak substituted secret values to the LLM. The success path correctly returns the original %variableName% token, but if page.type(actualValue) throws, the catch block returns the raw (error as Error).message without sanitizing out the substituted secret. Wrap the page.type() call so that any error in this branch returns a sanitized message that uses the original value token, not actualValue.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/core/lib/v3/agent/tools/keys.ts, line 45:
<comment>The error path can leak substituted secret values to the LLM. The success path correctly returns the original `%variableName%` token, but if `page.type(actualValue)` throws, the catch block returns the raw `(error as Error).message` without sanitizing out the substituted secret. Wrap the `page.type()` call so that any error in this branch returns a sanitized message that uses the original `value` token, not `actualValue`.</comment>
<file context>
@@ -36,14 +39,17 @@ Use method="press" for navigation keys (Enter, Tab, Escape, Backspace, arrows) a
+ const actualValue = substituteVariables(value, variables);
for (let i = 0; i < times; i++) {
- await page.type(value, { delay: 100 });
+ await page.type(actualValue, { delay: 100 });
}
v3.recordAgentReplayStep({
</file context>
Suggested change
| await page.type(actualValue, { delay: 100 }); | |
| try { | |
| await page.type(actualValue, { delay: 100 }); | |
| } catch (e) { | |
| return { | |
| success: false, | |
| error: `Failed to type "${value}"`, | |
| }; | |
| } |
| export const keysTool = (v3: V3, variables?: Variables) => { | ||
| const hasVariables = variables && Object.keys(variables).length > 0; | ||
| const valueDescription = hasVariables | ||
| ? `The text to type, or the key/combo to press (Enter, Tab, Cmd+A). Use %variableName% to substitute a variable value. Available: ${Object.keys(variables).join(", ")}` |
Contributor
There was a problem hiding this comment.
P2: The valueDescription tells the LLM that %variableName% substitution is available for the value field, but substituteVariables() is only called in the method === "type" branch. If the agent uses method="press" with a variable token (e.g., %apiKey%), the literal %apiKey% string will be passed to page.keyPress(), which will either fail or press unintended keys. Scope the variable-substitution hint to method="type" only.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/core/lib/v3/agent/tools/keys.ts, line 10:
<comment>The `valueDescription` tells the LLM that `%variableName%` substitution is available for the `value` field, but `substituteVariables()` is only called in the `method === "type"` branch. If the agent uses `method="press"` with a variable token (e.g., `%apiKey%`), the literal `%apiKey%` string will be passed to `page.keyPress()`, which will either fail or press unintended keys. Scope the variable-substitution hint to `method="type"` only.</comment>
<file context>
@@ -1,21 +1,24 @@
+export const keysTool = (v3: V3, variables?: Variables) => {
+ const hasVariables = variables && Object.keys(variables).length > 0;
+ const valueDescription = hasVariables
+ ? `The text to type, or the key/combo to press (Enter, Tab, Cmd+A). Use %variableName% to substitute a variable value. Available: ${Object.keys(variables).join(", ")}`
+ : "The text to type, or the key/combo to press (Enter, Tab, Cmd+A)";
+
</file context>
Suggested change
| ? `The text to type, or the key/combo to press (Enter, Tab, Cmd+A). Use %variableName% to substitute a variable value. Available: ${Object.keys(variables).join(", ")}` | |
| ? `The text to type (method="type"), or the key/combo to press (method="press") (Enter, Tab, Cmd+A). When using method="type", use %variableName% to substitute a variable value. Available: ${Object.keys(variables).join(", ")}` |
2 tasks
Contributor
|
Hey @pirate — I opened #1978 which fixes the cache replay side of this same issue. Your PR (#1813) fixes variable substitution during live execution of the keys tool, but |
Member
|
got it, thanks for the fix @a7med3liamin, I will close this PR and reclaim the new one |
github-actions
bot
added
external-contributor:stale
2 tasks
pirate
added a commit
that referenced
this pull request
Apr 9, 2026
…che replay (#1983) Mirrored from external contributor PR #1978 after approval by @pirate. Original author: @a7med3liamin Original PR: #1978 Approved source head SHA: `2149aa265a04dc37154d5a84411f3ab4d1045897` @a7med3liamin, please continue any follow-up discussion on this mirrored PR. When the external PR gets new commits, this same internal PR will be marked stale until the latest external commit is approved and refreshed here. ## Original description - [x] Check the [documentation](https://docs.stagehand.dev/) for relevant information - [x] Search existing [issues](https://github.com/browserbase/stagehand/issues) to avoid duplicates Fixes #1776 ## Problem The `keys` tool has no variable substitution in either the live execution or cache replay paths. When the agent uses `%variableName%` tokens with the keys tool, the literal token string gets typed instead of the resolved value. ## Fix This PR combines two fixes into one: ### 1. Live execution (original fix by @trillville from #1777) - Accept `variables` parameter in `keysTool` (matching `typeTool`) - Call `substituteVariables()` before `page.type()` in the `method === "type"` branch - Pass `variables` to `keysTool` in `createAgentTools` - Update schema description to advertise available variables to the LLM - Return original token in result to avoid exposing sensitive values to LLM ### 2. Cache replay (new fix) - Import `substituteVariables` in `AgentCache.ts` - Pass `variables` through to `replayAgentKeysStep` - Call `substituteVariables(text, variables)` before `page.type()` in the replay path Without fix #2, cached `keys` steps with `method="type"` replay by typing literal `%variableName%` tokens even when variables are provided, since `replayAgentKeysStep` had no access to the variables map. ## Credit The live execution fix (part 1) is from @trillville's work in #1777/#1813. We merged it here with the cache replay fix per @pirate's request to consolidate into a single PR. <!-- external-contributor-pr:owned source-pr=1978 source-sha=2149aa265a04dc37154d5a84411f3ab4d1045897 claimer=pirate --> <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Add variable substitution to the `keys` tool for both live execution and cache replay so `%variableName%` tokens are resolved before typing. This fixes cases where literal tokens were typed and brings parity with the `type` tool. - **Bug Fixes** - Pass `variables` into `keys` and call `substituteVariables()` before `page.type()`; update the input schema to list available variables. - In cache replay, forward `variables` to `replayAgentKeysStep` and substitute before typing to avoid replaying literal tokens. - Record and return the original tokenized value (not the resolved value) to avoid leaking sensitive data. <sup>Written for commit abb3905. Summary will update on new commits. <a href="https://cubic.dev/pr/browserbase/stagehand/pull/1983">Review in cubic</a></sup> <!-- End of auto-generated description by cubic. --> --------- Co-authored-by: Ahmed Ali <a7med3liamin@gmail.com> Co-authored-by: trillville <trillville@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Nick Sweeting <git@sweeting.me>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirrored from external contributor PR #1777 after approval by @pirate.
Original author: @trillville
Original PR: #1777
Approved source head SHA:
9c30883ba601e39d6e17ddfe91dfd72f00d4f7cd@trillville, please continue any follow-up discussion on this mirrored PR. When the external PR gets new commits, this same internal PR will be marked stale until the latest external commit is approved and refreshed here.
Original description
Fixes #1776
Fix
variablesparameter inkeysTool(matchingtypeTool)substituteVariables()beforepage.type()in themethod === "type"branchvariablestokeysToolincreateAgentToolsSummary by cubic
Fixes variable substitution in the keys tool when method="type" so %variableName% tokens are resolved before typing. Aligns behavior with the type tool and prevents secret leakage in tool outputs.
Written for commit 9c30883. Summary will update on new commits. Review in cubic