HN Showcase
Back to browse
GitHub Repository

Just-in-time API keys for AI agents - and any other process you route through it: the caller only ever sees a placeholder.

12 starsPython

AVP – an agent can't leak a secret it never had

by radku·Jun 11, 2026·3 points·1 comment
Visit ProjectView on HN

AI Analysis

●●SolidBig BrainSolve My Problem

Agents can't leak secrets they never had—placeholder injection at the wire.

Strengths
  • Process never holds real credential bytes, so prompt injection can't exfiltrate them.
  • 1-3ms steady-state latency with audit fsync on every inject decision.
  • Host and method bindings ensure placeholders only swap for intended destinations.
Weaknesses
  • Bitwarden dependency limits adoption for teams using other secret managers.
  • Proxy architecture adds operational complexity compared to direct API calls.
Category
Security
Target Audience

Developers running AI coding agents with API access

Similar To

HashiCorp Vault Agent · AWS Secrets Manager Proxy

Post Description

A process can't leak a secret it never had.

Shai-hulud, prompt-injection - you name it. They cannot steal what your agent (or an process) don't have.

I run coding agents (Claude Code, Codex) on my own machines most of the day. Every one of them wants real API keys in env and I was scratching my head for the last few months how to contain it.

The usual answer to this is a firewall. I don't buy it. A firewall tries to contain a secret the process is still holding, and the rules are painful to maintain.

AVP gives the agent a placeholder and injects the real value at the last moment, on the wire: ``` # the agent's env holds only a placeholder STRIPE_API_KEY=avp-placeholder # agent sends: Authorization: Bearer avp-placeholder # AVP forwards upstream: Authorization: Bearer sk_live_...real... ```

Keep your passwords in your vault where they belong. AVP initially relies on Bitwarden as a secret manager. It's MIT licensed.

Appreciate any feedback.

Similar Projects

Security●●●Banger

Phantom – Let AI use your API keys without leaking them

Proxy tokens worthless if leaked, real keys never enter LLM context windows.

Big BrainSolve My ProblemDark Horse
masonwyatt23
202mo ago
Developer Tools●●Solid

ClawProxy: An HTTP proxy that injects auth tokens into API calls

It replaces real API keys with short proxy tokens (e.g. PROXY:openai) and uses an X-Upstream-Host allowlist to ensure containers can only hit approved endpoints — neat and low-friction. Comes as a tiny Rust CLI with init/secret set/start commands and clear SDK examples, so you can bolt it onto OpenClaw or Docker agents without adopting a full secrets vault.

Niche GemBig Brain
LordHumungous
203mo ago
Security●●Solid

Aquaman keeping your OpenClaw secrets safe

The plugin-proxy split is smart: credentials live in a backend (Keychain/1Password/Vault/etc.) and a separate proxy injects auth headers over a UDS so the agent process never handles raw keys. It autosurveys plugin configs and channels to migrate plaintext secrets and even ships a Docker image and CLI for local setups — very practical for anyone already on OpenClaw, though it’s narrowly focused and adds an extra trusted component that deserves an audit.

Niche GemSolve My Problem
tech4242
104mo ago