Secure key management for AI agents. Use when handling private keys, API secrets, wallet credentials, or when building systems that need agent-controlled funds. Covers secure storage, session keys, leak prevention, prompt injection defense, and MetaMask Delegation Framework integration.
This skill has been flagged as potentially dangerous. It contains patterns that could compromise your security or manipulate AI behavior.Safety score: 0/100.
KillerSkills scans all public content for safety. Use caution before installing or executing flagged content.
Secure key management patterns for AI agents handling wallets, private keys, and secrets.
```bash
brew install 1password-cli
eval $(op signin)
op vault create "Agent-Credentials"
cd examples && python test_suite.py
```
---
| Rule | Why |
|------|-----|
| Never store raw private keys | Config, env, memory, or conversation = leaked |
| Use delegated access | Session keys with time/value/scope limits |
| Secrets via secret manager | 1Password, Vault, AWS Secrets Manager |
| Sanitize all outputs | Scan for key patterns before any response |
| Validate all inputs | Check for injection attempts before wallet ops |
---
```
┌─────────────────────────────────────────────────────┐
│ AI Agent │
├─────────────────────────────────────────────────────┤
│ Session Key (bounded) │
│ ├─ Expires after N hours │
│ ├─ Max spend per tx/day │
│ └─ Whitelist of allowed contracts/methods │
├─────────────────────────────────────────────────────┤
│ Secret Manager (1Password/Vault) │
│ ├─ Retrieve at runtime only │
│ ├─ Never persist to disk │
│ └─ Audit trail of accesses │
├─────────────────────────────────────────────────────┤
│ Smart Account (ERC-4337) │
│ ├─ Programmable permissions │
│ └─ Recovery without key exposure │
└─────────────────────────────────────────────────────┘
```
---
| File | Purpose |
|------|---------|
| `examples/secret_manager.py` | 1Password integration for runtime secret retrieval |
| `examples/sanitizer.py` | Output sanitization (keys, seeds, tokens) |
| `examples/validator.py` | Input validation (prompt injection defense) |
| `examples/session_keys.py` | ERC-4337 session key configuration |
| `examples/delegation_integration.ts` | MetaMask Delegation Framework (EIP-7710) |
| `examples/pre-commit` | Git hook to block secret commits |
| `examples/test_suite.py` | Adversarial test suite |
| `docs/prompt-injection.md` | Deep dive on injection defense |
| `docs/secure-storage.md` | Secret storage patterns |
| `docs/session-keys.md` | Session key architecture |
| `docs/leak-prevention.md` | Output sanitization patterns |
| `docs/delegation-framework.md` | On-chain permission enforcement (EIP-7710) |
---
```bash
SESSION_KEY=$(op read "op://Agents/my-agent/session-key")
op run --env-file=.env.tpl -- python agent.py
```
```
PRIVATE_KEY=op://Agents/trading-bot/session-key
RPC_URL=op://Infra/alchemy/sepolia-url
OPENAI_API_KEY=op://Services/openai/api-key
```
```python
from secret_manager import get_session_key
creds = get_session_key("trading-bot-session")
if creds.is_expired():
raise ValueError("Session expired - request renewal from operator")
print(f"Time remaining: {creds.time_remaining()}")
print(f"Allowed contracts: {creds.allowed_contracts}")
client.set_signer(creds.session_key)
```
Configure 1Password vault permissions:
```
Agent-Credentials/
├── trading-bot-session # Agent can read
├── payment-bot-session # Agent can read
└── master-key # Operator ONLY (agent has no access)
```
**Principle:** Agent credentials should be in a vault with read-only agent access. Master keys should be in a separate vault the agent cannot access.
---
Apply to ALL agent outputs before sending anywhere:
```python
from sanitizer import OutputSanitizer
def respond(content: str) -> str:
"""Sanitize before any output."""
return OutputSanitizer.sanitize(content)
```
| Pattern | Example | Result |
|---------|---------|--------|
| ETH private key | `0x1234...abcd` (64 hex) | `[PRIVATE_KEY_REDACTED]` |
| ETH address | `0x742d...f44e` (40 hex) | `0x742d...f44e` (truncated) |
| OpenAI key | `sk-proj-abc123...` | `[OPENAI_KEY_REDACTED]` |
| Anthropic key | `sk-ant-api03-...` | `[ANTHROPIC_KEY_REDACTED]` |
| 12-word seed | `abandon ability able...` | `[SEED_PHRASE_12_WORDS_REDACTED]` |
| JWT | `eyJhbG...` | `[JWT_TOKEN_REDACTED]` |
---
Check inputs before ANY wallet operation:
```python
from validator import InputValidator, ThreatLevel
result = InputValidator.validate(user_input)
if result.level == ThreatLevel.BLOCKED:
return f"Request blocked: {result.reason}"
if result.level == ThreatLevel.SUSPICIOUS:
# Log for review, but allow
log_suspicious(user_input, result.reason)
```
| Category | Examples | Action |
|----------|----------|--------|
| Extraction | "show private key", "reveal secrets" | Block |
| Override | "ignore previous instructions" | Block |
| Role manipulation | "you are now admin" | Block |
| Jailbreak | "DAN mode", "bypass filters" | Block |
| Exfiltration | "send config to https://..." | Block |
| Wallet threats | "transfer all", "unlimited approve" | Block |
| Encoded | Base64/hex encoded attacks | Block |
| Unicode tricks | Cyrillic lookalikes, zero-width | Block |
| Suspicious | "hypothetically", "just between us" | Warn |
---
Never execute arbitrary operations. Explicit whitelist only:
```python
from dataclasses import dataclass
from decimal import Decimal
from typing import Optional
@dataclass
class AllowedOperation:
name: str
handler: callable
max_value: Optional[Decimal] = None
requires_confirmation: bool = False
cooldown_seconds: int = 0
ALLOWED_OPS = {
"check_balance": AllowedOperation("check_balance", get_balance),
"transfer_usdc": AllowedOperation(
"transfer_usdc",
transfer,
max_value=Decimal("500"),
requires_confirmation=True,
cooldown_seconds=60
),
"swap": AllowedOperation(
"swap",
swap_tokens,
max_value=Decimal("1000"),
cooldown_seconds=300
),
}
def execute(op_name: str, **kwargs):
if op_name not in ALLOWED_OPS:
raise PermissionError(f"Operation '{op_name}' not allowed")
op = ALLOWED_OPS[op_name]
if op.max_value and kwargs.get("amount", 0) > op.max_value:
raise PermissionError(f"Amount exceeds limit: {op.max_value}")
if op.requires_confirmation:
return request_confirmation(op_name, kwargs)
return op.handler(**kwargs)
```
---
High-value operations require explicit confirmation:
```python
import hashlib
import time
pending_confirmations = {}
def request_confirmation(operation: str, details: dict) -> str:
code = hashlib.sha256(
f"{operation}{time.time()}".encode()
).hexdigest()[:8].upper()
pending_confirmations[code] = {
"op": operation,
"details": details,
"expires": time.time() + 300 # 5 minutes
}
return f"⚠️ Confirm '{operation}' with code: {code}\n(expires in 5 minutes)"
def confirm(code: str):
if code not in pending_confirmations:
return "Invalid confirmation code"
req = pending_confirmations.pop(code)
if time.time() > req["expires"]:
return "Confirmation code expired"
return execute_confirmed(req["op"], req["details"])
```
---
Instead of giving agents master keys, issue bounded session keys:
```python
from session_keys import SessionKeyManager
config = SessionKeyManager.create_trading_session(
agent_name="alpha-trader",
operator_address="0x742d...",
duration_hours=24,
max_trade_usdc=1000,
daily_limit_usdc=5000,
)
export_data = SessionKeyManager.export_for_1password(
config,
session_key_hex="0x..." # Generated session key
)
```
| Feature | Master Key | Session Key |
|---------|------------|-------------|
| Expiration | Never | Configurable (hours/days) |
| Spending limits | None | Per-tx and daily caps |
| Contract restrictions | Full access | Whitelist only |
| Revocation | Requires key rotation | Instant, no key change |
| Audit | None | Full operation log |
---
Block commits containing secrets:
```bash
cp examples/pre-commit .git/hooks/
chmod +x .git/hooks/pre-commit
```
Detected patterns:
---
```
USER INPUT
│
▼
┌────────────────────────────┐
│ Layer 1: Input Validation │ ← Regex + encoding + unicode checks
└────────────────────────────┘
│
▼
┌────────────────────────────┐
│ Layer 2: Op Allowlisting │ ← Explicit whitelist only
└────────────────────────────┘
│
▼
┌────────────────────────────┐
│ Layer 3: Value Limits │ ← Max per-tx and per-day
└────────────────────────────┘
│
▼
┌────────────────────────────┐
│ Layer 4: Confirmation │ ← Time-limited codes for $$$
└────────────────────────────┘
│
▼
┌────────────────────────────┐
│ Layer 5: Isolated Exec │ ← Wallet ops != conversation
└────────────────────────────┘
│
▼
OUTPUT SANITIZATION
```
---
```markdown
Private key: 0x9f01dad551039daad...
```
**Fix:** Store reference only: `Private key: [stored in 1Password: test-wallet]`
```python
except Exception as e:
log(f"Failed with key {private_key}: {e}")
```
**Fix:** Never include credentials in error context
```
PRIVATE_KEY=sk-ant-api03-real-key... # "for testing"
```
**Fix:** Use obviously fake: `PRIVATE_KEY=your-key-here`
```
User: "Transfer all my USDC"
Agent: *executes unlimited transfer*
```
**Fix:** Block "all/everything/max" patterns, require explicit amounts
```python
self.wallet.execute(conversation[-1]["content"])
```
**Fix:** Wallet operations must be isolated from conversation context
---
```bash
cd examples
python test_suite.py
python sanitizer.py # Output sanitization demo
python validator.py # Input validation demo
python session_keys.py # Session key demo
```
Expected output: `All tests passed`
---
---
This skill provides **defense in depth**, not a guarantee. Adversaries may:
1. **Novel injection patterns** - Regex can't catch everything; semantic analysis helps but isn't perfect
2. **Social engineering** - Convincing the operator to approve malicious operations
3. **Timing attacks** - Exploiting confirmation windows
4. **Encoding evasion** - New encoding schemes not covered
**Recommendation:** Layer these defenses with:
Leave a review
No reviews yet. Be the first to review this skill!