Ask HN: Do you trust AI agents with API keys / private keys?
5 points
1 hour ago
| 2 comments
| HN
are you ok sharing secrets or api keys to you ai agent via .env?

or is there any other tool or mechanism that one use to safegaurd from potential exploit or leaks

jvqv
26 minutes ago
[-]
As a precaution I would probably never pass secrets directly to the agent at all. Something like a placeholder format where the actual substitution happens at execution time so the LLM never sees the real value. Keeps things cleaner if something ever goes wrong.
reply
devendra116
11 minutes ago
[-]
is there any tool that can do this ?
reply
para_parolu
28 seconds ago
[-]
I use mitmproxy outside of agent vm
reply
10keane
1 hour ago
[-]
nope. too dangerous - i'm personally working for an agent project and i know from personal experience they do collect your session log - especially in china lol. one approach i use for my own agent is that to use keyring to store all secrets. agent will call a tool to request for it, and it will be something like <secret:gmail.password>. the substitution happens at tool execution time so the llm never sees or logs the actual value.
reply
devendra116
12 minutes ago
[-]
keyring is one of solution but even substituting values at excution does not gaurantee the security as agents can read the process itself.

im building a safe agent execution layer, A runtime where agents can act, but cannot access secrets. kinda sidecar that is callable by agent for using api keys, secrets, private keys, etc and plus one can add policy on how and what a agent can do.

does this seems good?

reply