diff --git a/scripts/dev-api.js b/scripts/dev-api.js
index b28535b..4ab93b6 100644
--- a/scripts/dev-api.js
+++ b/scripts/dev-api.js
@@ -3560,6 +3560,22 @@ function normalizeHermesProviderRoutingList(value, key) {
   return normalized
 }
 
+function normalizeHermesEnvNameList(value, key) {
+  const seen = new Set()
+  const normalized = []
+  for (const item of normalizeHermesMultilineList(value)) {
+    const name = String(item ?? '').trim()
+    if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(name)) {
+      throw new Error(`${key} 只能填写环境变量名，每行一个，例如 GITHUB_TOKEN`)
+    }
+    if (!seen.has(name)) {
+      seen.add(name)
+      normalized.push(name)
+    }
+  }
+  return normalized
+}
+
 function normalizeHermesAuxiliaryProvider(value, key, strict = false) {
   const provider = String(value ?? '').trim().toLowerCase() || 'auto'
   if (HERMES_AUXILIARY_PROVIDERS.has(provider)) return provider
@@ -5163,6 +5179,7 @@ export function buildHermesTerminalConfigValues(config = {}) {
     terminalSingularityImage: typeof terminal.singularity_image === 'string' ? terminal.singularity_image.trim() : '',
     terminalModalImage: typeof terminal.modal_image === 'string' ? terminal.modal_image.trim() : '',
     terminalDaytonaImage: typeof terminal.daytona_image === 'string' ? terminal.daytona_image.trim() : '',
+    terminalDockerForwardEnv: normalizeHermesEnvNameList(terminal.docker_forward_env || [], 'terminal.docker_forward_env').join('\n'),
     terminalSshHost: typeof terminal.ssh_host === 'string' ? terminal.ssh_host.trim() : '',
     terminalSshUser: typeof terminal.ssh_user === 'string' ? terminal.ssh_user.trim() : '',
     terminalSshPort: parseHermesInteger(terminal.ssh_port, 'terminal.ssh_port', 22, 1, 65535, false),
@@ -5196,6 +5213,9 @@ export function mergeHermesTerminalConfig(config = {}, form = {}) {
     if (image) terminal[yamlKey] = image
     else delete terminal[yamlKey]
   }
+  const dockerForwardEnv = normalizeHermesEnvNameList(Object.hasOwn(form, 'terminalDockerForwardEnv') ? form.terminalDockerForwardEnv : currentValues.terminalDockerForwardEnv, 'terminal.docker_forward_env')
+  if (dockerForwardEnv.length) terminal.docker_forward_env = dockerForwardEnv
+  else delete terminal.docker_forward_env
   for (const [formKey, yamlKey] of [
     ['terminalSshHost', 'ssh_host'],
     ['terminalSshUser', 'ssh_user'],
diff --git a/src-tauri/src/commands/hermes.rs b/src-tauri/src/commands/hermes.rs
index 26a4c1e..e439e7d 100644
--- a/src-tauri/src/commands/hermes.rs
+++ b/src-tauri/src/commands/hermes.rs
@@ -2340,6 +2340,31 @@ fn normalize_hermes_provider_routing_list(
     Ok(values)
 }
 
+fn normalize_hermes_env_name_list(raw: Option<String>, key: &str) -> Result<Vec<String>, String> {
+    let mut values = Vec::new();
+    for item in normalize_hermes_multiline_list(raw) {
+        let name = item.trim().to_string();
+        if name.is_empty() {
+            continue;
+        }
+        let mut chars = name.chars();
+        let valid_first = chars
+            .next()
+            .map(|ch| ch.is_ascii_alphabetic() || ch == '_')
+            .unwrap_or(false);
+        let valid_rest = chars.all(|ch| ch.is_ascii_alphanumeric() || ch == '_');
+        if !valid_first || !valid_rest {
+            return Err(format!(
+                "{key} 只能填写环境变量名，每行一个，例如 GITHUB_TOKEN"
+            ));
+        }
+        if !values.contains(&name) {
+            values.push(name);
+        }
+    }
+    Ok(values)
+}
+
 fn normalize_hermes_auxiliary_provider(
     value: Option<String>,
     key: &str,
@@ -7867,6 +7892,9 @@ fn build_hermes_terminal_config_values(config: &serde_yaml::Value) -> Value {
     let terminal_singularity_image = terminal_string("singularity_image");
     let terminal_modal_image = terminal_string("modal_image");
     let terminal_daytona_image = terminal_string("daytona_image");
+    let terminal_docker_forward_env = terminal
+        .map(|map| yaml_string_sequence_field(map, "docker_forward_env").join("\n"))
+        .unwrap_or_default();
     let terminal_ssh_host = terminal_string("ssh_host");
     let terminal_ssh_user = terminal_string("ssh_user");
     let terminal_ssh_port = terminal
@@ -7897,6 +7925,7 @@ fn build_hermes_terminal_config_values(config: &serde_yaml::Value) -> Value {
         "terminalSingularityImage": terminal_singularity_image,
         "terminalModalImage": terminal_modal_image,
         "terminalDaytonaImage": terminal_daytona_image,
+        "terminalDockerForwardEnv": terminal_docker_forward_env,
         "terminalSshHost": terminal_ssh_host,
         "terminalSshUser": terminal_ssh_user,
         "terminalSshPort": terminal_ssh_port,
@@ -8004,6 +8033,14 @@ fn merge_hermes_terminal_config(
         .unwrap_or_default()
         .trim()
         .to_string();
+    let terminal_docker_forward_env = normalize_hermes_env_name_list(
+        form_string(form, "terminalDockerForwardEnv").or_else(|| {
+            current["terminalDockerForwardEnv"]
+                .as_str()
+                .map(ToString::to_string)
+        }),
+        "terminal.docker_forward_env",
+    )?;
     let terminal_ssh_host = form_string(form, "terminalSshHost")
         .or_else(|| current["terminalSshHost"].as_str().map(ToString::to_string))
         .unwrap_or_default()
@@ -8097,6 +8134,19 @@ fn merge_hermes_terminal_config(
     set_optional_yaml_string(terminal, "singularity_image", terminal_singularity_image);
     set_optional_yaml_string(terminal, "modal_image", terminal_modal_image);
     set_optional_yaml_string(terminal, "daytona_image", terminal_daytona_image);
+    if terminal_docker_forward_env.is_empty() {
+        terminal.remove(yaml_key("docker_forward_env"));
+    } else {
+        terminal.insert(
+            yaml_key("docker_forward_env"),
+            serde_yaml::Value::Sequence(
+                terminal_docker_forward_env
+                    .into_iter()
+                    .map(serde_yaml::Value::String)
+                    .collect(),
+            ),
+        );
+    }
     set_optional_yaml_string(terminal, "ssh_host", terminal_ssh_host);
     set_optional_yaml_string(terminal, "ssh_user", terminal_ssh_user);
     terminal.insert(
@@ -16625,6 +16675,7 @@ mod hermes_terminal_config_tests {
         assert_eq!(values["terminalSingularityImage"], "");
         assert_eq!(values["terminalModalImage"], "");
         assert_eq!(values["terminalDaytonaImage"], "");
+        assert_eq!(values["terminalDockerForwardEnv"], "");
         assert_eq!(values["terminalSshHost"], "");
         assert_eq!(values["terminalSshUser"], "");
         assert_eq!(values["terminalSshPort"], 22);
@@ -16643,6 +16694,9 @@ terminal:
   docker_mount_cwd_to_workspace: true
   docker_run_as_host_user: true
   docker_image: nikolaik/python-nodejs:python3.11-nodejs20
+  docker_forward_env:
+    - GITHUB_TOKEN
+    - NPM_TOKEN
   singularity_image: docker://nikolaik/python-nodejs:python3.11-nodejs20
   modal_image: python:3.12
   daytona_image: ubuntu:24.04
@@ -16668,6 +16722,10 @@ terminal:
             values["terminalDockerImage"],
             "nikolaik/python-nodejs:python3.11-nodejs20"
         );
+        assert_eq!(
+            values["terminalDockerForwardEnv"],
+            "GITHUB_TOKEN\nNPM_TOKEN"
+        );
         assert_eq!(
             values["terminalSingularityImage"],
             "docker://nikolaik/python-nodejs:python3.11-nodejs20"
@@ -16694,7 +16752,7 @@ terminal:
   backend: local
   docker_image: custom/python-node
   docker_forward_env:
-    - GITHUB_TOKEN
+    - OLD_TOKEN
   custom_flag: keep-terminal
 streaming:
   enabled: true
@@ -16712,6 +16770,7 @@ streaming:
                 "terminalDockerMountCwdToWorkspace": true,
                 "terminalDockerRunAsHostUser": true,
                 "terminalDockerImage": "nikolaik/python-nodejs:python3.12-nodejs22",
+                "terminalDockerForwardEnv": "GITHUB_TOKEN\nNPM_TOKEN\nGITHUB_TOKEN",
                 "terminalSingularityImage": "docker://ubuntu:24.04",
                 "terminalModalImage": "debian:bookworm",
                 "terminalDaytonaImage": "ubuntu:22.04",
@@ -16778,6 +16837,44 @@ streaming:
             config["terminal"]["docker_forward_env"][0].as_str(),
             Some("GITHUB_TOKEN")
         );
+        assert_eq!(
+            config["terminal"]["docker_forward_env"][1].as_str(),
+            Some("NPM_TOKEN")
+        );
+        assert_eq!(
+            config["terminal"]["docker_forward_env"]
+                .as_sequence()
+                .unwrap()
+                .len(),
+            2
+        );
+        assert_eq!(
+            config["terminal"]["custom_flag"].as_str(),
+            Some("keep-terminal")
+        );
+    }
+
+    #[test]
+    fn merge_terminal_config_removes_empty_docker_forward_env() {
+        let mut config: serde_yaml::Value = serde_yaml::from_str(
+            r#"
+terminal:
+  docker_forward_env:
+    - GITHUB_TOKEN
+  custom_flag: keep-terminal
+"#,
+        )
+        .unwrap();
+
+        merge_hermes_terminal_config(
+            &mut config,
+            &json!({
+                "terminalDockerForwardEnv": "  \n",
+            }),
+        )
+        .unwrap();
+
+        assert!(config["terminal"]["docker_forward_env"].is_null());
         assert_eq!(
             config["terminal"]["custom_flag"].as_str(),
             Some("keep-terminal")
@@ -16881,6 +16978,12 @@ terminal:
         let err = merge_hermes_terminal_config(&mut config, &json!({ "terminalSshPort": 65536 }))
             .unwrap_err();
         assert!(err.contains("terminal.ssh_port"));
+        let err = merge_hermes_terminal_config(
+            &mut config,
+            &json!({ "terminalDockerForwardEnv": "GOOD_TOKEN\nBAD TOKEN" }),
+        )
+        .unwrap_err();
+        assert!(err.contains("terminal.docker_forward_env"));
     }
 }
 
diff --git a/src/engines/hermes/pages/config.js b/src/engines/hermes/pages/config.js
index 6b6831c..8575044 100644
--- a/src/engines/hermes/pages/config.js
+++ b/src/engines/hermes/pages/config.js
@@ -266,6 +266,7 @@ const TERMINAL_DEFAULTS = {
   terminalSingularityImage: '',
   terminalModalImage: '',
   terminalDaytonaImage: '',
+  terminalDockerForwardEnv: '',
   terminalSshHost: '',
   terminalSshUser: '',
   terminalSshPort: 22,
@@ -2022,6 +2023,10 @@ export function render() {
               <span class="hm-field-label">${t('engine.hermesTerminalConfigDockerImage')}</span>
               <input id="hm-terminal-docker-image" class="hm-input" value="${esc(terminalValues.terminalDockerImage)}" placeholder="nikolaik/python-nodejs:python3.11-nodejs20" ${disabled ? 'disabled' : ''}>
             </label>
+            <label class="hm-field hm-field--wide">
+              <span class="hm-field-label">${t('engine.hermesTerminalConfigDockerForwardEnv')}</span>
+              <textarea id="hm-terminal-docker-forward-env" class="hm-input hm-textarea" rows="3" placeholder="GITHUB_TOKEN&#10;NPM_TOKEN" ${disabled ? 'disabled' : ''}>${esc(terminalValues.terminalDockerForwardEnv)}</textarea>
+            </label>
             <label class="hm-field">
               <span class="hm-field-label">${t('engine.hermesTerminalConfigSingularityImage')}</span>
               <input id="hm-terminal-singularity-image" class="hm-input" value="${esc(terminalValues.terminalSingularityImage)}" placeholder="docker://nikolaik/python-nodejs:python3.11-nodejs20" ${disabled ? 'disabled' : ''}>
@@ -3718,6 +3723,7 @@ export function render() {
       terminalDockerMountCwdToWorkspace: !!el.querySelector('#hm-terminal-docker-mount-cwd-to-workspace')?.checked,
       terminalDockerRunAsHostUser: !!el.querySelector('#hm-terminal-docker-run-as-host-user')?.checked,
       terminalDockerImage: el.querySelector('#hm-terminal-docker-image')?.value || '',
+      terminalDockerForwardEnv: el.querySelector('#hm-terminal-docker-forward-env')?.value || '',
       terminalSingularityImage: el.querySelector('#hm-terminal-singularity-image')?.value || '',
       terminalModalImage: el.querySelector('#hm-terminal-modal-image')?.value || '',
       terminalDaytonaImage: el.querySelector('#hm-terminal-daytona-image')?.value || '',
diff --git a/src/engines/hermes/style/hermes.css b/src/engines/hermes/style/hermes.css
index b9186a8..6f73ae6 100644
--- a/src/engines/hermes/style/hermes.css
+++ b/src/engines/hermes/style/hermes.css
@@ -6775,6 +6775,15 @@ body[data-active-engine="hermes"][data-theme="dark"] {
   gap: 16px;
   align-items: end;
 }
+[data-engine="hermes"] .hm-config-runtime-grid .hm-field--wide {
+  grid-column: 1 / -1;
+}
+[data-engine="hermes"] .hm-textarea {
+  min-height: 104px;
+  height: auto;
+  resize: vertical;
+  line-height: 1.6;
+}
 [data-engine="hermes"] .hm-config-compression-grid {
   grid-template-columns: repeat(4, minmax(140px, 1fr));
   margin-top: 18px;
diff --git a/src/locales/modules/engine.js b/src/locales/modules/engine.js
index bb5a7b5..ec9825e 100644
--- a/src/locales/modules/engine.js
+++ b/src/locales/modules/engine.js
@@ -527,13 +527,14 @@ export default {
   hermesTerminalConfigSshPort: _('SSH 端口', 'SSH port', 'SSH 連接埠'),
   hermesTerminalConfigSshKey: _('SSH 密钥路径（可选）', 'SSH key path (optional)', 'SSH 金鑰路徑（可選）'),
   hermesTerminalConfigDockerImage: _('Docker 镜像（可选）', 'Docker image (optional)', 'Docker 映像（可選）'),
+  hermesTerminalConfigDockerForwardEnv: _('Docker 转发环境变量名', 'Docker forwarded env names', 'Docker 轉發環境變數名'),
   hermesTerminalConfigSingularityImage: _('Singularity 镜像（可选）', 'Singularity image (optional)', 'Singularity 映像（可選）'),
   hermesTerminalConfigModalImage: _('Modal 镜像（可选）', 'Modal image (optional)', 'Modal 映像（可選）'),
   hermesTerminalConfigDaytonaImage: _('Daytona 镜像（可选）', 'Daytona image (optional)', 'Daytona 映像（可選）'),
   hermesTerminalConfigContainerCpu: _('CPU 核数', 'CPU cores', 'CPU 核心數'),
   hermesTerminalConfigContainerMemory: _('内存 MB', 'Memory MB', '記憶體 MB'),
   hermesTerminalConfigContainerDisk: _('磁盘 MB', 'Disk MB', '磁碟 MB'),
-  hermesTerminalConfigFootnote: _('SSH 字段只在 SSH 后端生效，留空会移除主机、用户和密钥覆盖；面板不保存 SSH 密码。镜像字段只在对应 Docker、Singularity、Modal 或 Daytona 后端生效；留空会移除覆盖并使用 Hermes 默认值。Docker 挂载启动目录会把宿主目录暴露给沙箱，仅在可信项目和无人值守任务中开启；环境变量等高级参数仍可在 raw YAML 中编辑。', 'SSH fields only apply to the SSH backend. Leaving them blank removes host, user, and key overrides; the panel does not save SSH passwords. Image fields only apply to the matching Docker, Singularity, Modal, or Daytona backend. Leaving them blank removes the override and uses Hermes defaults. Mounting the launch cwd exposes host files to the sandbox; enable it only for trusted projects or unattended jobs. Environment advanced fields remain editable in raw YAML.', 'SSH 欄位只在 SSH 後端生效，留空會移除主機、使用者和金鑰覆蓋；面板不儲存 SSH 密碼。映像欄位只在對應 Docker、Singularity、Modal 或 Daytona 後端生效；留空會移除覆蓋並使用 Hermes 預設值。Docker 掛載啟動目錄會把宿主目錄暴露給沙箱，僅在可信專案和無人值守任務中開啟；環境變數等進階參數仍可在 raw YAML 中編輯。'),
+  hermesTerminalConfigFootnote: _('SSH 字段只在 SSH 后端生效，留空会移除主机、用户和密钥覆盖；面板不保存 SSH 密码。镜像字段只在对应 Docker、Singularity、Modal 或 Daytona 后端生效；留空会移除覆盖并使用 Hermes 默认值。Docker 环境变量转发只保存变量名，不保存密钥值；每行一个变量名，留空会移除覆盖。Docker 挂载启动目录会把宿主目录暴露给沙箱，仅在可信项目和无人值守任务中开启。', 'SSH fields only apply to the SSH backend. Leaving them blank removes host, user, and key overrides; the panel does not save SSH passwords. Image fields only apply to the matching Docker, Singularity, Modal, or Daytona backend. Leaving them blank removes the override and uses Hermes defaults. Docker env forwarding stores variable names only, not secret values; use one name per line, or leave blank to remove the override. Mounting the launch cwd exposes host files to the sandbox; enable it only for trusted projects or unattended jobs.', 'SSH 欄位只在 SSH 後端生效，留空會移除主機、使用者和金鑰覆蓋；面板不儲存 SSH 密碼。映像欄位只在對應 Docker、Singularity、Modal 或 Daytona 後端生效；留空會移除覆蓋並使用 Hermes 預設值。Docker 環境變數轉發只儲存變數名，不儲存密鑰值；每行一個變數名，留空會移除覆蓋。Docker 掛載啟動目錄會把宿主目錄暴露給沙箱，僅在可信專案和無人值守任務中開啟。'),
   hermesStreamingConfigTitle: _('网关流式输出', 'Gateway streaming output', '閘道流式輸出'),
   hermesStreamingConfigDesc: _('控制 Hermes Gateway 回复时是否边生成边更新消息，以及消息刷新节奏。适合需要更快看到长回复进度的渠道。', 'Control whether Hermes Gateway updates messages while replies are generated, plus the refresh cadence. Useful when channels need quicker progress for long replies.', '控制 Hermes Gateway 回覆時是否邊生成邊更新訊息，以及訊息刷新節奏。適合需要更快看到長回覆進度的渠道。'),
   hermesStreamingConfigStatusReady: _('结构化配置', 'structured settings', '結構化設定'),
diff --git a/tests/hermes-config-page-ui.test.js b/tests/hermes-config-page-ui.test.js
index ca39ba5..aeaef94 100644
--- a/tests/hermes-config-page-ui.test.js
+++ b/tests/hermes-config-page-ui.test.js
@@ -393,6 +393,7 @@ test('Hermes 配置页会暴露终端执行结构化配置字段', () => {
     'hm-terminal-docker-mount-cwd-to-workspace',
     'hm-terminal-docker-run-as-host-user',
     'hm-terminal-docker-image',
+    'hm-terminal-docker-forward-env',
     'hm-terminal-singularity-image',
     'hm-terminal-modal-image',
     'hm-terminal-daytona-image',
diff --git a/tests/hermes-terminal-config.test.js b/tests/hermes-terminal-config.test.js
index cb9601b..c1cce30 100644
--- a/tests/hermes-terminal-config.test.js
+++ b/tests/hermes-terminal-config.test.js
@@ -24,6 +24,7 @@ test('Hermes 终端执行配置读取会提供上游默认值', () => {
     terminalSingularityImage: '',
     terminalModalImage: '',
     terminalDaytonaImage: '',
+    terminalDockerForwardEnv: '',
     terminalSshHost: '',
     terminalSshUser: '',
     terminalSshPort: 22,
@@ -41,6 +42,7 @@ test('Hermes 终端执行配置读取会回显 YAML 字段', () => {
       docker_mount_cwd_to_workspace: true,
       docker_run_as_host_user: true,
       docker_image: 'nikolaik/python-nodejs:python3.11-nodejs20',
+      docker_forward_env: ['GITHUB_TOKEN', 'NPM_TOKEN'],
       singularity_image: 'docker://nikolaik/python-nodejs:python3.11-nodejs20',
       modal_image: 'python:3.12',
       daytona_image: 'ubuntu:24.04',
@@ -62,6 +64,7 @@ test('Hermes 终端执行配置读取会回显 YAML 字段', () => {
   assert.equal(values.terminalDockerMountCwdToWorkspace, true)
   assert.equal(values.terminalDockerRunAsHostUser, true)
   assert.equal(values.terminalDockerImage, 'nikolaik/python-nodejs:python3.11-nodejs20')
+  assert.equal(values.terminalDockerForwardEnv, 'GITHUB_TOKEN\nNPM_TOKEN')
   assert.equal(values.terminalSingularityImage, 'docker://nikolaik/python-nodejs:python3.11-nodejs20')
   assert.equal(values.terminalModalImage, 'python:3.12')
   assert.equal(values.terminalDaytonaImage, 'ubuntu:24.04')
@@ -81,7 +84,7 @@ test('Hermes 终端执行配置保存会保留未知字段并写入上游结构'
     terminal: {
       backend: 'local',
       docker_image: 'custom/python-node',
-      docker_forward_env: ['GITHUB_TOKEN'],
+      docker_forward_env: ['OLD_TOKEN'],
       custom_flag: 'keep-terminal',
     },
     streaming: { enabled: true },
@@ -93,6 +96,7 @@ test('Hermes 终端执行配置保存会保留未知字段并写入上游结构'
     terminalDockerMountCwdToWorkspace: true,
     terminalDockerRunAsHostUser: true,
     terminalDockerImage: 'nikolaik/python-nodejs:python3.12-nodejs22',
+    terminalDockerForwardEnv: 'GITHUB_TOKEN\nNPM_TOKEN\nGITHUB_TOKEN',
     terminalSingularityImage: 'docker://ubuntu:24.04',
     terminalModalImage: 'debian:bookworm',
     terminalDaytonaImage: 'ubuntu:22.04',
@@ -126,7 +130,21 @@ test('Hermes 终端执行配置保存会保留未知字段并写入上游结构'
   assert.equal(next.terminal.container_memory, 6144)
   assert.equal(next.terminal.container_disk, 20480)
   assert.equal(next.terminal.container_persistent, false)
-  assert.deepEqual(next.terminal.docker_forward_env, ['GITHUB_TOKEN'])
+  assert.deepEqual(next.terminal.docker_forward_env, ['GITHUB_TOKEN', 'NPM_TOKEN'])
+  assert.equal(next.terminal.custom_flag, 'keep-terminal')
+})
+
+test('Hermes 终端执行配置保存空 Docker 环境变量转发会删除对应字段', () => {
+  const next = mergeHermesTerminalConfig({
+    terminal: {
+      docker_forward_env: ['GITHUB_TOKEN'],
+      custom_flag: 'keep-terminal',
+    },
+  }, {
+    terminalDockerForwardEnv: '  \n',
+  })
+
+  assert.equal(Object.hasOwn(next.terminal, 'docker_forward_env'), false)
   assert.equal(next.terminal.custom_flag, 'keep-terminal')
 })
 
@@ -205,4 +223,8 @@ test('Hermes 终端执行配置保存会拒绝非法后端和越界值', () => {
     () => mergeHermesTerminalConfig({}, { terminalSshPort: '65536' }),
     /terminal\.ssh_port/,
   )
+  assert.throws(
+    () => mergeHermesTerminalConfig({}, { terminalDockerForwardEnv: 'GOOD_TOKEN\nBAD TOKEN' }),
+    /terminal\.docker_forward_env/,
+  )
 })