Don’t scare me Link to heading

Started with GitHub Copilot for code completion to now using AI coding agents to write your code. One thing that doesn’t change is that it keeps uploading context from your codebase that deem appropriate without you auditing them (which would be annoying enough to make these tools actually useful).

That leaves the obvious hole that what exact context was being passed to the LLM provider is usually not visible enough to the end user and almost certainly in your local dev environment, you have secrets laying around in your .envrc, env.local and you shell history, or even sometimes directly exist in the code file that you’re trying to hack something real quick.

“But, wait, but, I am very certain that I have opted out of telemetry and my Pro/Max plan disabled data for model training!”

Hey, look, the content that was sent for context is not the same as telemetry nor model training. Those are plain text bytes simply needed to use the LLM models that are not hosted locally, in the first place. Any (even temporary) hop between you and the LLM provider can make a mistake or intentionally log your prompt (but forget or can’t recognize the pattern of your secret) and context for many reasons.

“Oh, but I trust them like, they have SOC2 audits and all the fancy certificates!”

My friend, the people who put your compromised account info on sale are almost always not the employees, but the malicious people who get unauthorized access and steal them. You should have the same level of cautiousness and pessimism that never reuse your password for any sites because you never know how they store your passwords and when they will have a data breach.

“Nah, I have a deal for a zero data retention policy with them.”

Doesn’t matter, if a mistake of an inappropriate logging can happen, it will happen. Even if the immediate team behind your agent is world-class professionals, how about all the subprocessors? Avoid making security bets on someone else’s hand when you can totally avoid it. Avoidance of the problem doesn’t invalidate the problem. In Chinese, we call this “掩耳盗铃”, which translates to “covering one’s ears and stealing the bell”, or “bury one’s head in the sand like an ostrich”.

“I’m worried now, what should I do then?”

The principle is to minimize the chances of leak. There will always be bugs here and there in software, but best practices will be immensely helpful just like all the security procedures in manufacturing. Acknowledge the problem and always stay conscious about your surroundings is the key.

Security best practices Link to heading

None of the security best practices said here is really new, but obvious things are easy to miss and falsely taken for granted when the paradigm has changed.

Practice #1: Do not use agents that you do not trust Link to heading

Or agent software that wasn’t downloaded from trusted sources that only “look legit”.

Practice #2: Do not put secrets directly in the code or shell history Link to heading

Code is uploaded as context, not to mention so many accidental secret leaks are due to “forgot to swap out and just pushed”. LLM-enabled terminals will look through your shell history and use them as context as well. Always load secrets from env files or better (if possible), a secrets storage.

Practice #3: Disable LLM features on sensitive files Link to heading

If your agent doesn’t support ignoring certain files (either by configuration or OOTB) when looking for context, stop reading and delete them RIGHT NOW.

Practice #4: Use separate secrets between local dev and production Link to heading

Don’t fall for convenience in risking a security incident. Obviously, only if someone cares to hack into your system. Use your own judgement.

Practice #5: Use fine-grained and time-bound secrets whenever possible Link to heading

Not always possible, thus whenever possible. The damage of a leak doesn’t happen right away, but long after you have forgotten about it.

A short good read by 1Password, Securing the agentic future: Where MCP fits and where it doesn’t.

Practice #6: Revoke or rotate immediately whenever in doubt Link to heading

The moment you realize it’s late is actually the earliest moment you can act on something. Just revoke or rotate them whenever in doubt, and have a good sleep.

Practice #7: Once again, always stay conscious about your surroundings Link to heading

Take care of yourself.

What should agent vendors do? Link to heading

  1. Your agent should ALWAYS provide ways to redact secrets. Builtin patterns for obvious services, but also allow selectively disable features on certain file types because not all secrets have a pattern (I’m looking at you, Google app password).
  2. Document security guidelines publicly and clearly, take a look at Sourcegraph Amp’s Security Reference, every agent should have that.