Project Templates์ถ์ฒ: Show HN์กฐํ์ 13
Show HN: Pincer-MCP โ Stop AI agents from reading their own credentials
By why_prem2026๋
2์ 10์ผ
**Show HN: Pincer-MCP โ Stop AI agents from reading their own credentials**
I run AI agents for coding (OpenClaw, Claude Desktop) and realized they could read their own .env files. Tested it - asked my agent to "check configuration" and it printed everything.The problem: agents need file access to work, but if they can read files, they can read their own credentials. One prompt injection and your API keys are leaked.Standard solutions don't help: - Environment variables: agent can read process.env - Secret managers: agent needs credentials to access them - Better prompting: can't security-patch an LLM with instructionsI built a proxy token architecture instead. The agent never sees real credentials:- Agent has: pxr_abc123 (proxy token) - Real keys: encrypted in OS keychain - On API call: decrypt key, make call, scrub memory immediatelyBuilt in 1 week. 500 npm installs with zero promotion (people are searching for this).GitHub: https://github.com/VouchlyAI/Pincer-MCP npm: npm install -g pincer-mcpWorks with OpenClaw, Claude Desktop, any MCP client.Looking for security feedback - if you see holes in the architecture, please tell me...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ Show HN์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
I run AI agents for coding (OpenClaw, Claude Desktop) and realized they could read their own .env files. Tested it - asked my agent to "check configuration" and it printed everything.The problem: agents need file access to work, but if they can read files, they can read their own credentials. One prompt injection and your API keys are leaked.Standard solutions don't help: - Environment variables: agent can read process.env - Secret managers: agent needs credentials to access them - Better prompting: can't security-patch an LLM with instructionsI built a proxy token architecture instead. The agent never sees real credentials:- Agent has: pxr_abc123 (proxy token) - Real keys: encrypted in OS keychain - On API call: decrypt key, make call, scrub memory immediatelyBuilt in 1 week. 500 npm installs with zero promotion (people are searching for this).GitHub: https://github.com/VouchlyAI/Pincer-MCP npm: npm install -g pincer-mcpWorks with OpenClaw, Claude Desktop, any MCP client.Looking for security feedback - if you see holes in the architecture, please tell me...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ Show HN์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.