Secrets on the Big Screen
API keys, prod credentials, and customer data pasted straight into the prompt.
What it is
To get useful help, someone pastes the real error — including the real stack trace, including the real connection string with the real password. Or the real API response, with the real customer record. Or the real cron config, with the real production credentials. The prompt is now in a vendor’s logs, and the conversation that felt private was an export.
How it happens
AI assistance is best with real context. The developer is debugging, the AI asks for the error, the developer pastes whatever was in their terminal. The credentials are right there in the connection string. The PII is right there in the JSON. The mental model is “I’m having a conversation in a private window.” The actual model is “I’m exporting data to a third-party logging system with whatever retention policy they currently advertise.”
The AI era makes this worse in specific ways. Autonomous coding
agents read local files without being prompted to, sweeping up
.env files, ~/.aws/credentials, and
shell history into context. “Share this conversation”
features publish a link that includes everything that was
pasted. Editor plugins whose telemetry covers the active buffer
have already shipped the secret to the vendor before the
developer typed a prompt. The exfiltration surface is larger
than what the human actually pasted.
Why it’s dangerous
Credentials in vendor logs are a breach with a delayed fuse. Vendor retention policies vary, change, and aren’t something the developer’s team controls. PII in prompts is a regulatory event under GDPR, CCPA, HIPAA, or your industry equivalent, depending on what got pasted. Every leaked credential has to be rotated, every leaked record has to be reported, and the vendor has to be asked to purge — none of which is what the developer thought they were signing up for when they pasted a stack trace at 4pm on a Tuesday.
The AI-era hinge: pre-AI, secrets leaked into Slack, into commit messages, into ticket comments. Post-AI, the leak surface is larger (the agent reads what you didn’t paste), more autonomous (the leak can happen without a deliberate action), and the recipient is a third party whose data handling you don’t control. The cost compounds because the leak is invisible — the developer doesn’t see a security banner; they see a helpful response.
How to prevent it
Treat the prompt as an external API call to a vendor — because that’s exactly what it is. Anything that would alarm you if it appeared in a public Slack channel doesn’t go in a prompt. Make the safe path the easy path: redacted examples, fake data, sanitized stack traces. AI is excellent at working with realistic synthetic data once the developer commits to producing it — ask it to generate a stack trace shape that preserves the diagnostic value without the secret bits.
The friction signal is concrete: if you’re about to paste
a string whose name ends in _KEY,
_TOKEN, _SECRET, or
_PASSWORD, stop. If you’re about to paste an
API response that includes email,
ssn, dob, or a customer name, stop.
The pattern is recognizable; train yourself to recognize it.
The serious team fix
Three things, reinforcing each other:
- A team habit of redact-before-paste. When real data goes into a prompt, the developer redacts credentials and PII first. AI is excellent at producing a synthetic version of a stack trace or response that preserves the diagnostic shape without the sensitive bits — make that the default first step, not the exception. The norm is stated, taught at onboarding, and modeled by leads in their own sessions.
- An AI-leveraged pre-paste scanner. A skill, slash command, or local hook that scans pasted text and outbound prompts for credential patterns (AWS keys, JWTs, connection strings, private key headers, common PII shapes) and blocks the send. The AI runs locally on the developer’s machine; the prompt never reaches the vendor with the secret intact. The check happens at the choke point so the developer doesn’t have to remember.
- Short-lived credentials, scoped tokens, and a documented incident path. Production credentials don’t exist as long-lived strings; they’re rotated automatically and scoped narrowly enough that a leaked one has a small blast radius. Vendor agreements are reviewed for retention behavior. A runbook for “I pasted a secret into a prompt” exists, so the developer knows the rotation and reporting path and doesn’t hide the mistake. The infrastructure makes the worst case survivable.
The shift is: the prompt is an external API call. Anything that would scare you in a public Slack channel should scare you here — and the team’s job is to make the safe version of the paste the easy one.