L

Voiceflow•4w ago

Agent Leaking Tools and API Keys

Hi,

I just want to arise the issue that our in production agent leaked all our tools usage and API keys in a live client chat today.

The only way it has access to the API key is within the agent tools.

This can not be happening.

Lowe

Voiceflow is your community to get help, stay up to date on product releases, and connect with builders, experts, and the Voiceflow team⚡

12,999Members

View on Discord

Was this page helpful?

Lowe

L

LoweOP•11/21/25, 9:41 AM

@David @Braden (Voiceflow CEO)

Hugh Fungus

H

Hugh Fungus•11/21/25, 12:39 PM

Any way you can architect your solution so your API key doesn't touch your agent?

I don't think you can trust any agentic solutions to pass API keys. Better to have that stuff done in the backend

Hugh Fungus

H

Hugh Fungus•11/21/25, 12:40 PM

Ultimately if an API key ends up in an LLM's context window, it is unpredictable and could be leaked at any moment

Braden

B

Braden•11/21/25, 3:50 PM

hey @Lowe - you should be using Secrets, not variables

Braden

B

Braden•11/21/25, 3:51 PM

We have a secrets manager for this purposefully @Hugh Fungus @Lowe

Braden

BBraden hey @Lowe - you should be using Secrets, not variables

Lowe

L

LoweOP•11/21/25, 3:52 PM

I do not have it within a variable, it's a pre-set value within the tool.

Braden

B

Braden•11/21/25, 4:35 PM

is it on agent collect? it looks like the agent is asking for it

Lowe

L

LoweOP•11/21/25, 7:49 PM

No it is set as default value

Braden

B

Braden•11/21/25, 9:43 PM

Hmmm, how did it produce the above response? doesn't seem like a user response

NiKo | Voiceflow

N

NiKo | Voiceflow•11/28/25, 2:14 PM

Do you have any guardrails set in your prompt?

NiKo | Voiceflow

N

NiKo | Voiceflow•11/28/25, 2:14 PM

Here's an example of the kind of instructions I'm using for some of our agents

guardrails_instructions_example.txt7.38KB