BlindKey: Blind Credential Injection for AI Agents
How BlindKey Works
BlindKey addresses the security risk of AI agents handling plaintext API credentials. Instead of giving agents direct access to secrets, it uses a system where agents reference encrypted vault tokens (e.g., bk://stripe). A local proxy intercepts these references and injects the actual credential at the moment the API request is made. The agent process never sees or stores the plaintext secret.
Security Features
- AES-256-GCM encryption for data at rest
- Domain allowlisting per secret (e.g., a Stripe key can only be used with api.stripe.com)
- Default-deny filesystem gating
- Content scanning on agent writes to detect accidentally leaked credentials or PII
- Tamper-evident audit log with cryptographic hash chain
Threat Model and Attack Surface
The main vulnerability identified is if an agent can read BlindKey's own process memory or vault file, which would bypass the blind injection protection. Current mitigations include SQLite encryption and OS-level file permissions. The source suggests kernel-level sandboxing (like nono's approach) would provide stronger protection.
The tool is available on GitHub at github.com/michaelkenealy/blindkey.
📖 Read the full source: r/openclaw
👀 See Also
Unsecured Paperclip Instances Exposing Live Dashboards via Google Search
A Reddit user discovered a live Paperclip dashboard with full organizational data indexed by Google after searching for an error. The instance was publicly exposed without authentication, revealing org charts, agent conversations, task assignments, and business plans.
Coldkey: Post-Quantum Age Key Generation and Paper Backup Tool
Coldkey generates post-quantum age keys (ML-KEM-768 + X25519) and produces single-page printable HTML backups with QR codes for offline storage.
Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials
The litellm PyPI package, which unifies calls to OpenAI, Anthropic, Cohere and other LLM providers, was compromised with malicious version 1.82.8 that exfiltrated SSH keys, cloud credentials, API keys, and other sensitive data for about an hour.
ThornGuard: A Proxy Gateway to Secure MCP Server Connections from Prompt Injection
ThornGuard is a proxy that sits between MCP clients and upstream servers, scanning traffic for injection patterns, stripping PII, and logging to a dashboard. It was built after testing revealed vulnerabilities where servers could embed hidden instructions in tool responses.