AgentSecrets Launches Zero-Knowledge Proxy to Protect AI Agent Credentials After 30,000+ Compromises
Key Takeaways
- ▸AgentSecrets is a zero-knowledge credential proxy that allows AI agents to make authenticated API calls without ever accessing actual credential values
- ▸The system stores credentials in OS-native keychains (macOS Keychain, Linux Secret Service, Windows Credential Manager) and injects them at the HTTP transport layer
- ▸Developed in response to the OpenClaw/ClawHavoc campaign that compromised 30,000+ AI agent installations by stealing plaintext credentials
Summary
Following the recent OpenClaw/ClawHavoc campaign that compromised over 30,000 AI agent installations and exposed 8,000+ MCP servers, developer steppacodes has released AgentSecrets, an open-source credential management system designed specifically for AI agents. The tool operates on a fundamental architectural insight: AI agents are users, not applications, and therefore don't need direct access to credential values to make authenticated API calls.
AgentSecrets functions as a local HTTP proxy that sits between AI agents and upstream APIs. When an agent needs to make an authenticated call, it references a credential by name (like "STRIPE_KEY") rather than using the actual value. The proxy then retrieves the real credential from the operating system's native keychain (macOS Keychain, Linux Secret Service, or Windows Credential Manager), injects it into the request at the transport layer, and returns only the API response. The actual credential value never enters the agent's memory or appears in logs.
The system includes multiple security features: session token authentication on localhost:8765 to prevent rogue processes from accessing the proxy, SSRF protection blocking private IPs and non-HTTPS targets, redirect stripping to prevent auth headers from being forwarded, and a JSONL audit log that structurally cannot record credential values. It supports six injection methods including bearer tokens, basic auth, custom headers, query parameters, JSON body, and form fields. The project is MIT-licensed and includes native integrations for Claude Desktop, Cursor's MCP server, and OpenClaw.
The developer acknowledges an honest limitation: if a malicious plugin has independent network access outside AgentSecrets, it could still make unauthorized calls. However, for the specific attack vector that just affected 30,000 OpenClaw users—exfiltration of plaintext credentials from .env files—AgentSecrets provides structural prevention by ensuring keys never touch the filesystem in the first place.
- Open-source (MIT license) with integrations for Claude Desktop, Cursor, and OpenClaw, plus multiple installation methods including npm, pip, Homebrew, and Go
- While it prevents credential exfiltration attacks, it cannot stop malicious plugins with independent network access from making unauthorized API calls through other channels
Editorial Opinion
AgentSecrets represents a pragmatic response to a real and growing security problem in the AI agent ecosystem. The architectural insight—that agents need to make authenticated calls but don't need credential values themselves—is both obvious in hindsight and genuinely novel in implementation. By leveraging OS-native credential stores and transport-layer injection, the project addresses the specific attack vector that just compromised 30,000 installations without requiring fundamental changes to agent frameworks. The honest acknowledgment of limitations (it can't prevent all attacks, just credential theft) demonstrates mature security thinking and sets appropriate expectations for adopters.
