GitHub Repository

Local vault for AI agents. Use API keys without exposing raw stored keys to the model.

13 starsRust

Cloak – let AI agents use your API keys without ever seeing them

Name: Cloak – let AI agents use your API keys without ever seeing them
Availability: InStock
Author: VarunMenon

by VarunMenon·Jun 21, 2026·2 points·0 comments

Visit Project View on HN

AI Analysis

●●●BangerBig BrainSolve My Problem

No read_secret tool means agents can use keys without ever reading them.

Strengths

•Proxy architecture prevents key leakage through prompt injection attacks
•Allowlist-by-default policy with live policy updates, no daemon restart needed
•SLSA L3 provenance and macOS notarization shows serious security posture

Weaknesses

•Only macOS and Linux support, no Windows binaries yet
•Requires running a local daemon, adds complexity to agent setups

Similar Projects

Security●●Solid

OneCLI – Vault for AI Agents in Rust

Agents never see real keys, but Vault already does secret injection.

Solve My ProblemSlick

guyb3

161523mo ago

Security●Mid

Keychains – Prevent LLM/OpenClaw agents from leaking API credentials

Agents never touch raw tokens — you swap literal credentials for template variables and a proxy injects scoped secrets server-side while surfacing one‑click approval links to humans. It also fingerprints machines, uses SSH key auth, and tries to infer minimal OAuth scopes per request, which is a neat user-in-the-loop model. The obvious trade-off is centralizing trust in the proxy and the integration work for every provider, but the UX for human approvals and instant revocation is compelling.

Big BrainSolve My ProblemSlick

severin

104mo ago

Security●●●Banger