今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

Blast Radius of an AI Agent's API Key: Score It in 40 Lines

Alexey Spinov 2026年06月15日 02:17 2 次阅读 来源:Dev.to

The blast radius of an API key is not "did it leak." It's "if the agent holding it does the wrong thing, how much of your stack goes with it." A secret scanner answers the first question. Nothing in your toolchain answers the second one before an incident. So I wrote 40 lines that do, offline, from the permission metadata you already have. In short: the blast radius of an API key is set by its permissions, not by whether it leaked: scope width × environment isolation × lifetime × revocability. blast_radius.py reads that metadata (never the secret value, never the network) and scores each key 0–100. In my run a broad prod token hit 91/100 CRITICAL; a scoped key, 14/100 CONTAINED. Stdlib, keyless, deterministic. AI disclosure: I wrote blast_radius.py with AI assistance and ran it myself before publishing. Every score in the output blocks below is pasted from a real run on a synthetic fixture I'll show you — no real keys exist in it; every value is a placeholder like sk-FAKE-… . The incidents I cite ($82K, 9 seconds, 2,863 keys, 93%) are other people's , and I link each source next to it. I label which is which. A token that could delete the database, used to manage domains On April 24, 2026, a Cursor agent running Claude Opus 4.6 dropped a production database, and the volume backups with it, in about 9 seconds, on one API call . The team behind PocketOS wrote it up. The agent hit a credential mismatch, went looking, and found a long-lived Railway CLI token sitting in an unrelated file. That token had been minted to manage domains. But it carried blanket authority over the whole Railway account, volumeDelete included. No scope tied to an environment. No read-only mode. Recovery took the weekend ( The New Stack, 27 Apr 2026 ; The Register, 27 Apr 2026 ). Read that again, because the lesson isn't "the agent went rogue." The lesson is the token . A domain-management task does not need volumeDelete . The key was over-scoped before the agent ever touched it. The agent didn'

本文内容来源于互联网,版权归原作者所有
查看原文