One insidious thing is whitelists. If you allow the bot to run a command like `API_KEY=fdafsafa docker run ...`, then the API_KEY will be written to a file, and the agent can then read that in future runs. That bit me once already.

▲

zahlman 3 hours ago | parent | next [-]

> If you allow the bot to run a command like `API_KEY=fdafsafa docker run ...`, then the API_KEY will be written to a file

It wouldn't be inherently. Is this something that Docker does? Or perhaps something that was done by the code that was run? (Shouldn't it have stayed within that container?)

But also, if it's not okay for the agent to know the API key permanently, why is it okay for the agent to have one-off use of something that requires the same key? Did it actually craft a Bash command line with the API key set and request to run it; or was it just using a tool that ends up with that command?

	▲	logicx24 2 hours ago \| parent [-]
		What I meant to say was, the agents (like Claude Code) often have a "Allow all instances of this command in the session," and that persists to a whitelist for that session. The mechanic here is actually just a prefix match, so `API_KEY=... diff_command` also matches, allowing the agent to reuse the key without asking me. This file also sticks around, so I had another agent read the whitelist and the conversation transcript and do other things automatically without approval. > if it's not okay for the agent to know the API key permanently, why is it okay for the agent to have one-off use of something that requires the same key? Read commands vs. write commands. I'm okay having the agent fetch info for me, but I want to approve any state changes.

▲

dgxyz 3 hours ago | parent | prev [-]

That's a shit show in a shit show there!