Ask HN: Do you trust AI agents with API keys / private keys?
5•devendra116•2h ago
are you ok sharing secrets or api keys to you ai agent via .env?
or is there any other tool or mechanism that one use to safegaurd from potential exploit or leaks
Comments
10keane•2h ago
nope. too dangerous - i'm personally working for an agent project and i know from personal experience they do collect your session log - especially in china lol. one approach i use for my own agent is that to use keyring to store all secrets. agent will call a tool to request for it, and it will be something like <secret:gmail.password>. the substitution happens at tool execution time so the llm never sees or logs the actual value.
devendra116•1h ago
keyring is one of solution but even substituting values at excution does not gaurantee the security as agents can read the process itself.
im building a safe agent execution layer, A runtime where agents can act, but cannot access secrets. kinda sidecar that is callable by agent for using api keys, secrets, private keys, etc and plus one can add policy on how and what a agent can do.
does this seems good?
jvqv•1h ago
As a precaution I would probably never pass secrets directly to the agent at all. Something like a placeholder format where the actual substitution happens at execution time so the LLM never sees the real value. Keeps things cleaner if something ever goes wrong.
10keane•2h ago
devendra116•1h ago
im building a safe agent execution layer, A runtime where agents can act, but cannot access secrets. kinda sidecar that is callable by agent for using api keys, secrets, private keys, etc and plus one can add policy on how and what a agent can do.
does this seems good?