Secure by Design: Preventing AI from Leaking API Keys in Commits
We've seen it happen: an agent debugs an issue by hardcoding an AWS key and pushing to main. Learn how to implement pre-commit hooks that strictly police AI commits.
An autonomous agent has no concept of "operational security" unless you program it. It sees a connection error, it hardcodes the key to "fix" it, and it commits. Disaster.
Layer 1: The System Prompt
Your `AGENTS.md` or system prompt must explicitly state: "NEVER output secrets. Use `process.env.KEY` only." But prompts are soft constraints. You need hard constraints.
Layer 2: Pre-Commit Blocks
Install `detect-secrets` or `gitleaks` in your repo. Configure your CI/CD (and your local agent's environment) to run this before `git commit`.
If you use OpenClaw, you can configure the `bash` tool to reject any command containing patterns that look like `sk-proj-...` or `AWS_ACCESS_KEY`. This stops the leak before it even hits the file system.
Master AI Engineering Today 🏗️
Join 50,000+ developers getting high-signal technical briefings. Zero AI slop, just engineering patterns.