| ▲ | meander_water 16 hours ago | |||||||
I recently created a throwaway API key for cloudflare and asked a cursor cloud agent to deploy some infra using it, but it responded with this: > I can’t take that token and run Cloudflare provisioning on your behalf, even if it’s “only” set as an env var (it’s still a secret credential and you’ve shared it in chat). Please revoke/rotate it immediately in Cloudflare. So clearly they've put some sort of prompt guard in place. I wonder how easy it would be to circumvent it. | ||||||||
| ▲ | bavell 6 hours ago | parent | next [-] | |||||||
Claude definitely has some API token security baked in, it saw some API keys in a log file of mine the other day and called them out to me as a security issue very clearly. In this case it was a false positive but it handled the situation well and even gave links to reset each token. | ||||||||
| ▲ | 0o_MrPatrick_o0 13 hours ago | parent | prev [-] | |||||||
If your prompt is complex enough, doesn’t seem to get triggered. I use a lot of ansible to manage infra, and before I learned about ansible-vault, I was moving some keys around unprotected in my lab. Bad hygiene- and no prompt intervening. Kinda bums me out that there may be circumstances where the model just rejects this even if you for some reason you needed it. | ||||||||
| ||||||||