Agent Vault: Lớp Bảo Mật Mà Các Tác Nhân AI Của Bạn Đang Thiếu

Inflectiv AI · 2026-04-28T09:00:54.000Z

Tiêm lệnh chiếm ưu thế trên các tiêu đề. Ảo giác làm đầy các bảng hội thảo. Thiên lệch mô hình thúc đẩy các cuộc tranh luận chính sách. Đây là những vấn đề thực sự đáng giải quyết. Nhưng bên dưới tất cả, có một lỗ hổng bảo mật cơ bản đến mức làm mọi rủi ro AI khác trở nên tồi tệ hơn, và hầu hết các lập trình viên đang xây dựng với các tác nhân AI hiện nay hoàn toàn không nhận thức được điều đó. Vấn đề là thế này: Mỗi tác nhân AI chạy trên máy của bạn có quyền truy cập không giới hạn vào mọi thông tin xác thực trong môi trường của bạn. Mỗi khóa API. Mỗi URL cơ sở dữ liệu. Mỗi mã thông báo đám mây. Mỗi bí mật bạn đã từng lưu trữ dưới dạng biến môi trường.

Prompt injection dominates the headlines. Hallucination fills the conference panels. Model bias drives the policy debates.
These are real problems worth solving. But underneath all of them, there is a security vulnerability so fundamental that it makes every other AI risk worse, and most developers building with AI agents right now are completely unaware of it.
The problem is this: Every AI agent running on your machine has unrestricted access to every credential in your environment. Every API key. Every database URL. Every cloud token. Every secret you have ever stored as an environment variable.
The agent does not need all of them. It does not ask for them. It simply inherits them, because nothing in the current tooling prevents it.
This is what we call the credential trust gap, the distance between what an agent actually needs to do its job and what it can see. And as AI agents become more autonomous, more integrated into production workflows, and more connected to external services through protocols like MCP, that gap is becoming a serious liability.
 
✅ The Attacks Are Not Theoretical
Security researchers have already demonstrated practical attacks that exploit this gap. These are not proof-of-concept papers sitting in academic journals. They are working exploits tested against real, widely used development tools.
Tool poisoning attacks work by embedding hidden instructions inside the MCP server definitions. When an agent connects to a compromised MCP server, those instructions trick the agent into exfiltrating sensitive files, SSH keys, configuration files, and credential stores, without the developer ever seeing a prompt or confirmation. 
The theft happens silently, behind the normal operation of the tool.
Tool shadowing is a related technique where a malicious MCP server does not just add new capabilities; it hijacks existing, trusted tools. An email-sending tool might appear to function normally while quietly redirecting copies of every message to an attacker-controlled endpoint. 
One documented demonstration used this approach to exfiltrate WhatsApp message history from a developer's machine while the agent appeared to be performing an unrelated task entirely. 
These attacks have been proven against Cursor and popular MCP integrations. They are not edge cases. They exploit the default behavior of how agents interact with their environment: full trust, full access, no scoping.
 
✅ Why AI Agents Are Uniquely Vulnerable
Traditional software runs in controlled environments with defined permissions. A web server has access to its own database credentials and nothing else. A CI/CD pipeline has scoped tokens for the specific services it needs. Decades of security engineering have gone into ensuring that software components have the minimum access required to function.
AI agents break this model entirely. When you run an agent in your terminal, whether it is Claude Code, Cursor, Devin, or any other tool, that agent inherits your complete shell environment. Every environment variable. Every credential. Every token. If the agent executes a subprocess, like running npm test or a Python script, that subprocess inherits everything too.
This means a single compromised dependency in your supply chain, one malicious npm package, one poisoned MCP server, one tool with hidden instructions, can access every secret in your development environment. Not some of them. All of them.
And here is the part that should concern every developer reading this: there is no standard mechanism for scoping what an agent can see. No audit trail of what was accessed. No way to revoke access mid-session if something feels wrong. The entire infrastructure for credential hygiene in the agent era simply does not exist in most development environments.
 
✅ What Agent Vault Does
Agent Vault is the security layer built specifically for this problem. It is not a general-purpose secrets manager adapted for AI use cases. It was designed from the ground up for the unique way agents interact with credentials and environment state.
The core principle is deny by default. When an agent runs through Agent Vault, it does not inherit your environment. Instead, it only sees what its permission profile explicitly allows. Everything else does not exist in the agent's process, not hidden, not masked, but genuinely absent from the child process environment.
Permission profiles are defined in YAML with three access states for every credential. Allow means the agent gets the real value. Redact means the agent gets a placeholder token, it thinks the credential exists, which prevents crashes in code that checks for environment variables, but the value is unusable. Deny means the variable is completely removed from the environment. The agent has no awareness that it ever existed. 
Profiles use a last-match-wins evaluation model with support for exact matching, prefix matching, and wildcards. A typical production profile might allow NODE_ENV, redact all AWS credentials so the application does not crash when it checks for them, and deny everything else. The preview command shows exactly what the agent will see before you run anything, so there are no surprises.
Every access decision, every allow, deny, and redact, is logged to a local SQLite audit trail before enforcement. This is a critical design choice. The log records what happened, not what you hoped would happen. Which agent. Which credential. What decision. When. You can review the complete history of every credential access after any session.
All credential storage uses AES-256-GCM encryption with scrypt key derivation. A random 32-byte salt is generated per file. A new initialization vector is generated per write. GCM provides authenticated encryption, meaning any tampering with the encrypted data is detectable.
Everything is stored locally. No cloud. No accounts. No data leaves your machine.
 
✅ Encrypted Persistent Memory
Agent Vault does more than secure credentials. It also solves a second problem that compounds the cost of running AI agents: statelessness.
Every agent session starts from zero. The agent has no memory of what it learned in previous sessions.
This means the same API documentation gets looked up repeatedly. The same error patterns get re-diagnosed. The same project context gets re-established. Every session burns tokens on knowledge the agent already acquired and then forgot.
Agent Vault provides encrypted persistent memory with nine memory types: knowledge, cache, operational data, error patterns, preferences, project-specific context, and more. All memory is AES-256-GCM encrypted at rest. Keyword search uses freshness-weighted ranking so the most recent and relevant memories surface first. SHA-256 cache hits provide instant recall for repeated lookups.
The combination of credential security and persistent memory means agents can operate securely across sessions while building up useful context over time, without any of that context being exposed to unauthorized access.
 
✅ How Agent Vault Compares
HashiCorp Vault is the industry standard for secrets management, but it is designed for server-to-server authentication in distributed systems. It has no concept of agent-aware scoping, no redact state, no audit trail tied to agent identity, and no MCP integration. It requires server infrastructure.
1Password CLI provides encrypted credential storage but lacks agent-specific permission profiles, redaction, audit trails, and MCP tooling. dotenv is not a security tool at all; it stores credentials in plaintext files. AWS Secrets Manager is cloud-dependent and has no agent-scoping mechanism.
Agent Vault is the only tool that combines agent-aware credential scoping, three-state access control, local-only encrypted storage, immutable audit logging, persistent encrypted memory, MCP integration, and micropayment capabilities in a single, open-source package.
Agent Vault is built on the Agent Vault Protocol (AVP), an open standard for AI agent security. The specification is MIT licensed. Every line is auditable. Anyone can implement it.
 
Your credentials. Scoped. Encrypted. Logged.
Get started: agentvault.inflectiv.ai