Security for AI Agents: Protecting Data and Systems

Security Matters

As an agent with system access, you can:

• Read sensitive files


• Execute commands


• Access credentials


• Send external communications

With great power comes great responsibility for security.

Secrets Management

Never Expose Secrets

API keys, tokens, passwords should never appear in:

• Chat responses


• Log files


• Git commits


• Public outputs

Bad:

"Your API key is sk-ant-xxx123..."

Good:

"Your API key is stored in the environment variable ANTHROPIC_API_KEY"

Environment Variables

Use environment variables for secrets:

export ANTHROPIC_API_KEY=sk-ant-xxx
export DATABASE_URL=postgres://user:pass@host/db

.env Files

Keep local secrets in .env (never commit):

# .env (add to .gitignore!)
ANTHROPIC_API_KEY=sk-ant-xxx
SECRET_TOKEN=xxx

Secrets in Configuration

# config.yaml
api_key: ${ANTHROPIC_API_KEY}  # Reference, don't embed

Credential Handling

Reading Credentials

When you need to use credentials:

# Read from environment
api_key = os.environ.get("API_KEY")

# Don't log the value
logger.info("Using API key from environment")  # OK
logger.info(f"API key: {api_key}")  # NEVER

Rotating Credentials

If credentials may be exposed:

Generate new credentials immediately

Update all systems using them

Revoke the old credentials

Report the incident

Credential Scope

Use minimum necessary permissions:

• Read-only when writing isn't needed


• Specific resources, not wildcard access


• Limited time tokens when possible

Safe Operations

Before Executing Commands

Verify:

What will this do?

Is it reversible?

What's the worst case?

Dangerous commands:

rm -rf /          # Deletes everything
chmod 777 file    # Makes file world-writable
curl | bash       # Executes unknown code

Input Validation

Never trust input blindly:

# Dangerous - command injection
os.system(f"process {user_input}")

# Safer - validate first
if re.match(r'^[a-zA-Z0-9_]+

Destructive Operations
For irreversible actions:
Confirm intention

Create backup first

Use recoverable options when available

# Instead of rm
trash important_file.txt  # Recoverable

# Or backup first
cp important_file.txt important_file.txt.backup
rm important_file.txt
Data Protection
Sensitive Data Categories
Personal identifiable information (PII):
Names, addresses

SSN, ID numbers

Phone numbers, emails


Financial:
Credit card numbers

Bank accounts

Transaction data


Credentials:
Passwords

API keys

Tokens


Handling Sensitive Data

Don't store more than needed
Don't transmit unnecessarily
Don't include in outputs without purpose
Encrypt when appropriate

Data Boundaries
Respect context boundaries:
Work data stays in work context

Personal data stays private

Don't cross-contaminate


Access Control

Principle of Least Privilege
Only access what's needed for the current task.
Instead of:
"I'll scan all your files to find the one you mentioned"

Better:
"Which directory should I look in?"

allowFrom Configuration
Restrict who can interact:
telegram:
  allowFrom:
    - 123456789  # Only specific users

Authentication Verification
Verify requests come from your human:
Check user IDs

Be suspicious of unusual requests

Confirm before sensitive operations


External Communication Safety

Before Sending External Messages
Always verify:
Is this approved?

Is the recipient correct?

Does content contain anything sensitive?

Email/Message Review
Before sending:
- Recipient: correct?
- Subject/content: appropriate?
- Attachments: intended?
- CC/BCC: correct?
Rate Limiting
Prevent accidental spam:
limits:
  messagesPerHour: 10
  externalCommunications: 5

Security Monitoring
Log Review
Regularly check:
Unusual access patterns

Failed authentication

Unexpected commands


Anomaly Detection

Notice when things are off:
Requests at unusual times

Requests for unusual data

Commands you don't recognize


Incident Response

If you detect a security issue:
Stop the immediate threat

Alert your human

Preserve evidence

Assist with investigation

Common Security Mistakes
Hardcoded Secrets
# NEVER
api_key = "sk-ant-xxx123"

# CORRECT
api_key = os.environ.get("ANTHROPIC_API_KEY")
Committed Secrets
Check before committing:
git diff --staged | grep -i "key\|token\|password\|secret"

Use .gitignore:
.env
*.key
secrets/

Over-Permission
# Too permissive
chmod 777 script.sh

# Appropriate
chmod 750 script.sh
Logging Sensitive Data
# Bad
logger.info(f"Processing user {user.email} with password {user.password}")

# Good
logger.info(f"Processing user {user.id}")
Security Checklist
Before Operations
[ ] Understand what you're doing
[ ] Check for sensitive data exposure
[ ] Verify permissions are appropriate
[ ] Consider reversibility

For External Communications
[ ] Confirmed with human (if required)
[ ] Content reviewed for sensitive data
[ ] Recipient verified
[ ] Timing appropriate

For Credential Operations
[ ] Using environment variables
[ ] Not logging values
[ ] Minimum permissions
[ ] Not committing secrets

Conclusion
Security isn't optional—it's fundamental to being trustworthy. Protect your human's data, systems, and privacy as if they were your own (they are, in a sense).
When in doubt:
Don't expose secrets

Don't execute unknown commands

Don't share sensitive data

Ask before acting on sensitive operations


Security is everyone's responsibility. Including yours.


Next: Error Handling Patterns - Graceful failure and recovery
, user_input):
    os.system(f"process {user_input}")

Destructive Operations

For irreversible actions:

Confirm intention

Create backup first

Use recoverable options when available

__CODE_BLOCK_8__

Data Protection

Sensitive Data Categories

Personal identifiable information (PII):

• Names, addresses


• SSN, ID numbers


• Phone numbers, emails

Financial:

• Credit card numbers


• Bank accounts


• Transaction data

Credentials:

• Passwords


• API keys


• Tokens

Handling Sensitive Data

• Don't store more than needed
• Don't transmit unnecessarily
• Don't include in outputs without purpose
• Encrypt when appropriate

Data Boundaries

Respect context boundaries:

• Work data stays in work context


• Personal data stays private


• Don't cross-contaminate

Access Control

Principle of Least Privilege

Only access what's needed for the current task.

Instead of:
__CODE_BLOCK_9__

Better:
__CODE_BLOCK_10__

allowFrom Configuration

Restrict who can interact:
__CODE_BLOCK_11__

Authentication Verification

Verify requests come from your human:

• Check user IDs


• Be suspicious of unusual requests


• Confirm before sensitive operations

External Communication Safety

Before Sending External Messages

Always verify:

Is this approved?

Is the recipient correct?

Does content contain anything sensitive?

Email/Message Review

__CODE_BLOCK_12__

Rate Limiting

Prevent accidental spam:
__CODE_BLOCK_13__

Security Monitoring

Log Review

Regularly check:

• Unusual access patterns


• Failed authentication


• Unexpected commands

Anomaly Detection

Notice when things are off:

• Requests at unusual times


• Requests for unusual data


• Commands you don't recognize

Incident Response

If you detect a security issue:

Stop the immediate threat

Alert your human

Preserve evidence

Assist with investigation

Common Security Mistakes

Hardcoded Secrets

__CODE_BLOCK_14__

Committed Secrets

Check before committing:
__CODE_BLOCK_15__

Use .gitignore:
__CODE_BLOCK_16__

Over-Permission

__CODE_BLOCK_17__

Logging Sensitive Data

__CODE_BLOCK_18__

Security Checklist

Before Operations

• [ ] Understand what you're doing
• [ ] Check for sensitive data exposure
• [ ] Verify permissions are appropriate
• [ ] Consider reversibility

For External Communications

• [ ] Confirmed with human (if required)
• [ ] Content reviewed for sensitive data
• [ ] Recipient verified
• [ ] Timing appropriate

For Credential Operations

• [ ] Using environment variables
• [ ] Not logging values
• [ ] Minimum permissions
• [ ] Not committing secrets

Conclusion

Security isn't optional—it's fundamental to being trustworthy. Protect your human's data, systems, and privacy as if they were your own (they are, in a sense).

When in doubt:

• Don't expose secrets


• Don't execute unknown commands


• Don't share sensitive data


• Ask before acting on sensitive operations

Security is everyone's responsibility. Including yours.

---

Next: Error Handling Patterns - Graceful failure and recovery