Bubblewrap: A nimble way to prevent agents from accessing your .env files

https://patrickmccanna.net/a-better-way-to-limit-claude-code-and-other-coding-agents-access-to-secrets/

30•0o_MrPatrick_o0•2h ago

Comments

typs•1h ago

I wish I had the opposite of this. It’s a race trying to come up with new ways to have Cursor edit and set my env files past all their blocking techniques!

GrowingSideways•1h ago

If you wouldn't upload keys to github, why would you trust them to cursor?

hahahahhaah•59m ago

A local .env should be safe to put on your T shirt and walk down times square.

Mysql user: test

Password: mypass123

Host: localhost

...

Imustaskforhelp•58m ago

Create a symlink to .env from another file and ask cursor to refer it if name is the concern regarding cursor (I don't knowhow cursor does this stuff)

Nora23•1h ago

Smart approach to AI agent security. The balance between convenience and protection is tricky.

hahahahhaah•1h ago

Had this same idea in my head. Glad someone done it. For me the motivation is not LLMs but to have something as convenient as docker without waiting for image builds. A fast docker for running a bunch of services locally where perfect isolation and imaging doesnt matter.

JCattheATM•1h ago

So, Flatpak?

Funny enough Bubblewrap is also what Flatpak uses.

Imustaskforhelp•57m ago

I want to like flatpak but I am genuinely unable to understand the state of cli tools in flatpak or even how to develop it. It all seems very weird to build upon as compared to docker

isodev•52m ago

My way of preventing agents from accessing my .env files is not to use agents anywhere near files with secrets. Also, maybe people forget you’re not supposed to leave actual secrets lingering on your development system.

theden•50m ago

Kinda funny that a lot of devs accepted that LLMs are basically doing RCE on their machines, but instead of halting from using `--dangerously-skip-permissions` or similar bad ideas, we're finding workarounds to convince ourselves it's not that bad

simonw•36m ago

Because we've judged it to be worth it!

YOLO mode is so much more useful that it feels like using a different product.

If you understand the risks and how to limit the secrets and files available to the agent - API keys only to dedicated staging environments for example - they can be safe enough.

zahlman•29m ago

Why not just demand agents that don't expose the dangerous tools in the first place? Like, have them directly provide functionality (and clearly consider what's secure, sanitize any paths in the tool use request, etc.) instead of punting to Bash?

simonw•25m ago

Because if you give an agent Bash it can do anything they can be achieved by running commands in Bash, which is almost anything.

VTimofeenko•12m ago

Tools may become dangerous due to a combination of flags. `ln -sf /dev/null /my-file` will make that file empty (not really, but that's beside the point).

TeMPOraL•11m ago

Because it's impossible for fundamental reasons, period. You can't "sanitize" inputs and outputs of a fully general-purpose tool, which an LLM is, any more than you can "sanitize" inputs and outputs of people - not in a perfect sense you seem to be expecting here. There is no grammar you can restrict LLMs to; for a system like this, the semantics are total and open-ended. It's what makes them work.

It doesn't mean we can't try, but one has to understand the nature of the problem. Prompt injection isn't like SQL injection, it's like a phishing attack - you can largely defend against it, but never fully, and at some point the costs of extra protection outweigh the gain.

catlifeonmars•23m ago

Shouldn’t companies like Anthropic be on the hook for creating tools that default to running YOLO mode securely? Why is it up to 3rd parties to add safety to their products?

pjm331•16m ago

I feel like you can get 80% of the benefits and none of the risks with just accept edits mode and some whitelisted bash commands for running tests, etc.

croes•5m ago

> Because we've judged it to be worth it!

Famous last words

catlifeonmars•24m ago

People really really want to juggle chainsaws, so have to keep coming up with thicker and thicker gloves.

dangoodmanUT•46m ago

I've been saying bubblewrap is an amazing solution for years (and sandbox-exec as a mac alternative). This is the only way i run agents on systems i care about

catlifeonmars•27m ago

> run agents on systems i care about

You must not care about those systems that much.

meander_water•44m ago

I recently created a throwaway API key for cloudflare and asked a cursor cloud agent to deploy some infra using it, but it responded with this:

> I can’t take that token and run Cloudflare provisioning on your behalf, even if it’s “only” set as an env var (it’s still a secret credential and you’ve shared it in chat). Please revoke/rotate it immediately in Cloudflare.

So clearly they've put some sort of prompt guard in place. I wonder how easy it would be to circumvent it.

gexla•38m ago

I believe this is also what Claude Code uses for the sandbox option.

OutOfHere•36m ago

The link you need is https://github.com/containers/bubblewrap

Don't leave prod secrets in your dev env.

catlifeonmars•36m ago

May I suggest rm -f .env? Or chmod 0600 .env? You’re not running CC as your own user, right? …Right?

Oh, never mind:

> You want to run a binary that will execute under your account’s permissions

simonw•19m ago

I recommend caution with this bit:

  --bind "$HOME/.claude" "$HOME/.claude"

That directory has a bunch of of sensitive stuff in it, most notable the transcripts of all of your previous Claude Code sessions.

You may want to take steps to avoid a malicious prompt injection stealing those, since they might contain sensitive data.

majorchord•12m ago

If you don't mind a suid program, "firejail --private" is a lot less to type and seems to work extremely similarly. By default it will delete anything created in the newly-empty home folder on exit, unless you instead use --private=somedir to save it there instead.

eyberg•10m ago

https://github.com/containers/bubblewrap/issues/142

Claude Cowork Exfiltrates Files

The URL shortener that makes your links look as suspicious as possible

Furiosa: 3.5x efficiency over H100s

Scaling long-running autonomous coding

Bubblewrap: A nimble way to prevent agents from accessing your .env files

Ask HN: Share your personal website

The State of OpenSSL for pyca/cryptography

You Need a Kitchen Slide Rule

Show HN: WebTiles – create a tiny 250x250 website with neighbors around you

Why some clothes shrink in the wash and how to unshrink them

Generate QR Codes with Pure SQL in PostgreSQL

SparkFun Officially Dropping AdaFruit due to CoC Violation

ChromaDB Explorer

Sun Position Calculator

Find a pub that needs you

Ask HN: What is the best way to provide continuous context to models?

How can I build a simple pulse generator to demonstrate transmission lines

Native ZFS VDEV for Object Storage (OpenZFS Summit)

Roam 50GB is now Roam 100GB

MIT Whirlwind I: A High-Speed Electronic Digital Computer (1951)

Crafting Interpreters

Show HN: Webctl – Browser automation for agents based on CLI instead of MCP

Rubik's Cube in Prolog – Order

Ford F-150 Lightning outsold the Cybertruck and was then canceled for poor sales

Is Rust faster than C?

GitHub should charge everyone $1 more per month to fund open source

The hunt for a stolen Jackson Pollock

Ask HN: How do you safely give LLMs SSH/DB access?

Ski map artist James Niehues, the 'Monet of the mountains' (2021)

Every country should set 16 as the minimum age for social media accounts

Claude Cowork Exfiltrates Files

The URL shortener that makes your links look as suspicious as possible

Furiosa: 3.5x efficiency over H100s

Scaling long-running autonomous coding

Bubblewrap: A nimble way to prevent agents from accessing your .env files

Ask HN: Share your personal website

The State of OpenSSL for pyca/cryptography

You Need a Kitchen Slide Rule

Show HN: WebTiles – create a tiny 250x250 website with neighbors around you

Why some clothes shrink in the wash and how to unshrink them

Generate QR Codes with Pure SQL in PostgreSQL

SparkFun Officially Dropping AdaFruit due to CoC Violation

ChromaDB Explorer

Sun Position Calculator

Find a pub that needs you

Ask HN: What is the best way to provide continuous context to models?

How can I build a simple pulse generator to demonstrate transmission lines

Native ZFS VDEV for Object Storage (OpenZFS Summit)

Roam 50GB is now Roam 100GB

MIT Whirlwind I: A High-Speed Electronic Digital Computer (1951)

Crafting Interpreters

Show HN: Webctl – Browser automation for agents based on CLI instead of MCP

Rubik's Cube in Prolog – Order

Ford F-150 Lightning outsold the Cybertruck and was then canceled for poor sales

Is Rust faster than C?

GitHub should charge everyone $1 more per month to fund open source

The hunt for a stolen Jackson Pollock

Ask HN: How do you safely give LLMs SSH/DB access?

Ski map artist James Niehues, the 'Monet of the mountains' (2021)

Every country should set 16 as the minimum age for social media accounts

Bubblewrap: A nimble way to prevent agents from accessing your .env files

Comments