Agent Leaking Tools and API Keys
Hi,
I just want to arise the issue that our in production agent leaked all our tools usage and API keys in a live client chat today.
The only way it has access to the API key is within the agent tools.
This can not be happening.
Lowe
9 Replies
@David @Braden (Voiceflow CEO)
Any way you can architect your solution so your API key doesn't touch your agent?
I don't think you can trust any agentic solutions to pass API keys. Better to have that stuff done in the backend
Ultimately if an API key ends up in an LLM's context window, it is unpredictable and could be leaked at any moment
hey @Lowe - you should be using Secrets, not variables
We have a secrets manager for this purposefully @Hugh Fungus @Lowe
I do not have it within a variable, it's a pre-set value within the tool.
is it on agent collect? it looks like the agent is asking for it
No it is set as default value
Hmmm, how did it produce the above response? doesn't seem like a user response
Do you have any guardrails set in your prompt?
Here's an example of the kind of instructions I'm using for some of our agents