Ask HN: Do you trust AI agents with API keys / private keys?

8 pointsby devendra1166 hours ago6 comments

sjdv1982an hour ago
I wanted to ask almost this question, then saw that it is on #1 right now.
My use case is ssh. I would like to stick my private key into a local Docker container, have a ssh-identical cli that reverse proxies into the container, and have some rules about what ssh commands the container may proxy or not.
Does anyone know of something like this?
sminchevan hour ago
Like everything else. You don't share you private, personal data, credit card numbers with the rest of the world, just like that. ;)
jvqv5 hours ago
As a precaution I would probably never pass secrets directly to the agent at all. Something like a placeholder format where the actual substitution happens at execution time so the LLM never sees the real value. Keeps things cleaner if something ever goes wrong.
- devendra1165 hours ago
  is there any tool that can do this ?
  - para_parolu5 hours ago
    I use mitmproxy outside of agent vm
KellyCriterionan hour ago
No :)
10keane6 hours ago
nope. too dangerous - i'm personally working for an agent project and i know from personal experience they do collect your session log - especially in china lol. one approach i use for my own agent is that to use keyring to store all secrets. agent will call a tool to request for it, and it will be something like <secret:gmail.password>. the substitution happens at tool execution time so the llm never sees or logs the actual value.
- devendra1165 hours ago
  keyring is one of solution but even substituting values at excution does not gaurantee the security as agents can read the process itself.
  im building a safe agent execution layer, A runtime where agents can act, but cannot access secrets. kinda sidecar that is callable by agent for using api keys, secrets, private keys, etc and plus one can add policy on how and what a agent can do.
  does this seems good?
j_gonzalez4 hours ago
[dead]