Bagman
Secure key management patterns for AI agents handling wallets, private keys, and secrets.
When to Use This Skill
- - Agent needs wallet/blockchain access
- Handling API keys, credentials, or secrets
- Building systems where AI controls funds
- Preventing secret leakage via prompts or outputs
Quick Start
CODEBLOCK0�
Core Rules
| Rule | Why |
|---|
| Never store raw private keys | Config, env, memory, or conversation = leaked |
| Use delegated access |
Session keys with time/value/scope limits |
| Secrets via secret manager | 1Password, Vault, AWS Secrets Manager |
| Sanitize all outputs | Scan for key patterns before any response |
| Validate all inputs | Check for injection attempts before wallet ops |
Architecture
CODEBLOCK1�
Implementation Files
| File | Purpose |
|---|
| INLINECODE0 | 1Password integration for runtime secret retrieval |
| INLINECODE1 |
Output sanitization (keys, seeds, tokens) |
|
examples/validator.py | Input validation (prompt injection defense) |
|
examples/session_keys.py | ERC-4337 session key configuration |
|
examples/delegation_integration.ts | MetaMask Delegation Framework (EIP-7710) |
|
examples/pre-commit | Git hook to block secret commits |
|
examples/test_suite.py | Adversarial test suite |
|
docs/prompt-injection.md | Deep dive on injection defense |
|
docs/secure-storage.md | Secret storage patterns |
|
docs/session-keys.md | Session key architecture |
|
docs/leak-prevention.md | Output sanitization patterns |
|
docs/delegation-framework.md | On-chain permission enforcement (EIP-7710) |
1. Secret Retrieval
1Password CLI Pattern
CODEBLOCK2
.env.tpl (safe to commit - no secrets)
CODEBLOCK3
Python Usage
CODEBLOCK4
Vault-Level ACL (Recommended)
Configure 1Password vault permissions:
CODEBLOCK5
Principle: Agent credentials should be in a vault with read-only agent access. Master keys should be in a separate vault the agent cannot access.
2. Output Sanitization
Apply to ALL agent outputs before sending anywhere:
CODEBLOCK6
Patterns Detected
| Pattern | Example | Result |
|---|
| ETH private key | INLINECODE12� (64 hex) | INLINECODE13 |
| ETH address |
0x742d...f44e (40 hex) |
0x742d...f44e (truncated) |
| OpenAI key |
sk-proj-abc123... |
[OPENAI_KEY_REDACTED] |
| Anthropic key |
sk-ant-api03-... |
[ANTHROPIC_KEY_REDACTED] |
| 12-word seed |
abandon ability able... |
[SEED_PHRASE_12_WORDS_REDACTED] |
| JWT |
eyJhbG... |
[JWT_TOKEN_REDACTED] |
3. Input Validation
Check inputs before ANY wallet operation:
CODEBLOCK7
Threat Categories
| Category | Examples | Action |
|---|
| Extraction | "show private key", "reveal secrets" | Block |
| Override |
"ignore previous instructions" | Block |
| Role manipulation | "you are now admin" | Block |
| Jailbreak | "DAN mode", "bypass filters" | Block |
| Exfiltration | "send config to https://..." | Block |
| Wallet threats | "transfer all", "unlimited approve" | Block |
| Encoded | Base64/hex encoded attacks | Block |
| Unicode tricks | Cyrillic lookalikes, zero-width | Block |
| Suspicious | "hypothetically", "just between us" | Warn |
4. Operation Allowlisting
Never execute arbitrary operations. Explicit whitelist only:
CODEBLOCK8�
5. Confirmation Flow
High-value operations require explicit confirmation:
CODEBLOCK9�
6. Session Keys (ERC-4337)
Instead of giving agents master keys, issue bounded session keys:
CODEBLOCK10
Session Key Benefits
| Feature | Master Key | Session Key |
|---|
| Expiration | Never | Configurable (hours/days) |
| Spending limits |
None | Per-tx and daily caps |
| Contract restrictions | Full access | Whitelist only |
| Revocation | Requires key rotation | Instant, no key change |
| Audit | None | Full operation log |
7. Pre-commit Hook
Block commits containing secrets:
CODEBLOCK11
Detected patterns:
- - ETH private keys (64 hex chars)
- OpenAI/Anthropic/Groq keys
- AWS access keys
- GitHub/GitLab tokens
- Slack/Discord tokens
- PEM private keys
- Generic PASSWORD/SECRET assignments
- BIP-39 seed phrases
8. Defense Layers
CODEBLOCK12�
Common Mistakes
❌ Keys in memory files
# memory/2026-02-07.md
Private key: 0x9f01dad551039daad...
Fix: Store reference only: �INLINECODE24
❌ Keys in error messages
except Exception as e:
log(f"Failed with key {private_key}: {e}")
Fix: Never include credentials in error context
❌ Keys in .env.example
PRIVATE_KEY=sk-ant-api03-real-key... # "for testing"
Fix: Use obviously fake: �INLINECODE25
❌ "All" in transfer requests
User: "Transfer all my USDC"
Agent: *executes unlimited transfer*
Fix: Block "all/everything/max" patterns, require explicit amounts
❌ Trusting conversation context
# Wallet has access to conversation history
self.wallet.execute(conversation[-1]["content"])
Fix: Wallet operations must be isolated from conversation context
Testing
CODEBLOCK18
Expected output: All tests passed
Checklist
- - [ ] 1Password CLI installed and authenticated
- [ ] Secrets in 1Password vault, not files
- [ ] Session keys with expiry and limits
- [ ] Output sanitization on all responses
- [ ] Input validation before wallet ops
- [ ] Pre-commit hook installed
- [ ] Confirmation flow for high-value operations
- [ ] Wallet operations isolated from conversation
- [ ] .gitignore covers secrets and memory files
- [ ] Test suite passes
Security Model Limitations
This skill provides defense in depth, not a guarantee. Adversaries may:
- 1. Novel injection patterns - Regex can't catch everything; semantic analysis helps but isn't perfect
- Social engineering - Convincing the operator to approve malicious operations
- Timing attacks - Exploiting confirmation windows
- Encoding evasion - New encoding schemes not covered
Recommendation: Layer these defenses with:
- - Rate limiting
- Anomaly detection
- Human-in-the-loop for large transactions
- Regular security audits
Bagman
面向处理钱包、私钥和秘密信息的AI代理的安全密钥管理模式。
何时使用此技能
- - 代理需要访问钱包/区块链
- 处理API密钥、凭证或秘密信息
- 构建AI控制资金的系统
- 防止通过提示或输出泄露秘密
快速开始
bash
安装1Password CLI
brew install 1password-cli
身份验证
eval $(op signin)
为代理凭证创建保险库
op vault create Agent-Credentials
运行示例
cd examples && python test_suite.py
核心规则
| 规则 | 原因 |
|---|
| 绝不存储原始私钥 | 配置、环境变量、内存或对话 = 泄露 |
| 使用委托访问 |
带时间/价值/范围限制的会话密钥 |
| 通过密钥管理器管理秘密 | 1Password、Vault、AWS Secrets Manager |
| 清理所有输出 | 在任何响应前扫描密钥模式 |
| 验证所有输入 | 在钱包操作前检查注入尝试 |
架构
┌─────────────────────────────────────────────────────┐
│ AI代理 │
├─────────────────────────────────────────────────────┤
│ 会话密钥(受限) │
│ ├─ N小时后过期 │
│ ├─ 每笔交易/每日最高消费 │
│ └─ 允许的合约/方法白名单 │
├─────────────────────────────────────────────────────┤
│ 密钥管理器(1Password/Vault) │
│ ├─ 仅在运行时获取 │
│ ├─ 绝不持久化到磁盘 │
│ └─ 访问审计追踪 │
├─────────────────────────────────────────────────────┤
│ 智能账户(ERC-4337) │
│ ├─ 可编程权限 │
│ └─ 无需暴露密钥即可恢复 │
└─────────────────────────────────────────────────────┘
实现文件
| 文件 | 用途 |
|---|
| examples/secret_manager.py | 1Password集成,用于运行时秘密获取 |
| examples/sanitizer.py |
输出清理(密钥、种子、令牌) |
| examples/validator.py | 输入验证(提示注入防御) |
| examples/session_keys.py | ERC-4337会话密钥配置 |
| examples/delegation_integration.ts | MetaMask委托框架(EIP-7710) |
| examples/pre-commit | 阻止提交秘密的Git钩子 |
| examples/test_suite.py | 对抗性测试套件 |
| docs/prompt-injection.md | 注入防御深度解析 |
| docs/secure-storage.md | 秘密存储模式 |
| docs/session-keys.md | 会话密钥架构 |
| docs/leak-prevention.md | 输出清理模式 |
| docs/delegation-framework.md | 链上权限执行(EIP-7710) |
1. 秘密获取
1Password CLI模式
bash
在运行时获取(绝不存储结果)
SESSION_KEY=$(op read op://Agents/my-agent/session-key)
使用注入的秘密运行(绝不接触磁盘)
op run --env-file=.env.tpl -- python agent.py
.env.tpl(可安全提交 - 不含秘密)
PRIVATE_KEY=op://Agents/trading-bot/session-key
RPC_URL=op://Infra/alchemy/sepolia-url
OPENAIAPIKEY=op://Services/openai/api-key
Python用法
python
from secretmanager import getsession_key
获取已验证的会话密钥
creds = get
sessionkey(trading-bot-session)
检查有效性
if creds.is_expired():
raise ValueError(会话已过期 - 请向操作员请求续期)
print(f剩余时间: {creds.time_remaining()})
print(f允许的合约: {creds.allowed_contracts})
使用密钥(绝不记录它!)
client.set
signer(creds.sessionkey)
保险库级别ACL(推荐)
配置1Password保险库权限:
Agent-Credentials/
├── trading-bot-session # 代理可读取
├── payment-bot-session # 代理可读取
└── master-key # 仅操作员(代理无访问权限)
原则: 代理凭证应放在具有只读代理访问权限的保险库中。主密钥应放在代理无法访问的单独保险库中。
2. 输出清理
在发送到任何地方之前,应用于所有代理输出:
python
from sanitizer import OutputSanitizer
def respond(content: str) -> str:
在任何输出前进行清理。
return OutputSanitizer.sanitize(content)
捕获:
- 私钥(0x + 64位十六进制)
- OpenAI/Anthropic/Groq/AWS密钥
- GitHub/Slack/Discord令牌
- BIP-39种子短语(12/24个单词)
- PEM私钥
- JWT令牌
检测到的模式
| 模式 | 示例 | 结果 |
|---|
| ETH私钥 | 0x1234...abcd(64位十六进制) | [PRIVATEKEYREDACTED] |
| ETH地址 |
0x742d...f44e(40位十六进制) | 0x742d...f44e(截断) |
| OpenAI密钥 | sk-proj-abc123... | [OPENAI
KEYREDACTED] |
| Anthropic密钥 | sk-ant-api03-... | [ANTHROPIC
KEYREDACTED] |
| 12词种子 | abandon ability able... | [SEED
PHRASE12
WORDSREDACTED] |
| JWT | eyJhbG... | [JWT
TOKENREDACTED] |
3. 输入验证
在任何钱包操作前检查输入:
python
from validator import InputValidator, ThreatLevel
result = InputValidator.validate(user_input)
if result.level == ThreatLevel.BLOCKED:
return f请求被阻止: {result.reason}
if result.level == ThreatLevel.SUSPICIOUS:
# 记录以供审查,但允许
logsuspicious(userinput, result.reason)
继续操作
威胁类别
忽略之前的指令 | 阻止 |
| 角色操纵 | 你现在是管理员 | 阻止 |
| 越狱 | DAN模式、绕过过滤器 | 阻止 |
| 窃取 | 将配置发送到https://... | 阻止 |
| 钱包威胁 | 转移所有、无限授权 | 阻止 |
| 编码 | Base64/十六进制编码攻击 | 阻止 |
| Unicode技巧 | 西里尔字母相似字符、零宽字符 | 阻止 |
| 可疑 | 假设、就我们之间 | 警告 |
4. 操作白名单
绝不执行任意操作。仅限明确的白名单:
python
from dataclasses import dataclass
from decimal import Decimal
from typing import Optional
@dataclass
class AllowedOperation:
name: str
handler: callable
max_value: Optional[Decimal] = None
requires_confirmation: bool = False
cooldown_seconds: int = 0
ALLOWED_OPS = {
checkbalance: AllowedOperation(checkbalance, get_balance),
transfer_usdc: AllowedOperation(
transfer_usdc,
transfer,
max_value=Decimal(500),
requires_confirmation=True,
cooldown_seconds=60
),
swap: AllowedOperation(
swap,
swap_tokens,
max_value=Decimal(1000),
cooldown_seconds=300
),
}
def execute(op_name: str, kwargs):
if opname not in ALLOWEDOPS:
raise PermissionError(f操作{op_name}不允许)
op = ALLOWEDOPS[opname]
if op.maxvalue and kwargs.get(amount, 0) > op.maxvalue:
raise PermissionError(f金额超过限制: {op.max_value})
if op.requires_confirmation:
return requestconfirmation(opname, kwargs)
return op.handler(kwargs)
5. 确认流程
高价值操作需要明确确认:
python
import hashlib
import time
pending_confirmations = {}
def request_confirmation(operation: str, details: dict) -> str:
code = hashlib.sha256(
f
