Ask HN: Do you trust AI agents with API keys / private keys?
are you ok sharing secrets or api keys to you ai agent via .env?
or is there any other tool or mechanism that one use to safegaurd from potential exploit or leaks
or is there any other tool or mechanism that one use to safegaurd from potential exploit or leaks
21 comments
[ 1.9 ms ] story [ 50.4 ms ] threadMy use case is ssh. I would like to stick my private key into a local Docker container, have a ssh-identical cli that reverse proxies into the container, and have some rules about what ssh commands the container may proxy or not.
Does anyone know of something like this?
If I get my stuff hacked (because I use a machine with nothing else on it other than coding agents) I'll know these services are not removing my personal info from their logs.
I don't operate chinese models where my high value api keys are.
It's pretty hard to debug stuff without using real api keys, service accounts etc...otjerwise
I let it troubleshoot my web code using a temporary JWT in a dev environment using headless chrome and Puppeteer in a Docker container.
Everything else is in AWS Secrets Manager inaccessible by the IAM role the agent has access to.
I don’t store the temporary AWS keys in a file anywhere. They are in environment variables. All AWS SDKs and the CLI look in the environment variables by default.
I sure as hell don’t store API keys anywhere on my local computer.
Then simply I tell to the AI to just import from the .env file and do not read from the file.
All these have native audit logs and access logs, which can help you pin point exactly when did your AI Agent requested and accessed your secrets at Runtime.
Best yet - never keep sensitive data locally on your machine in plaintext