Agent Vault keeps secrets out of AI agents’ hands
Credential brokering for agent security
Infisical’s Agent Vault is an open-source research-preview proxy built around a simple idea: AI agents should use credentials without ever holding them. Instead of giving an agent an API key or password, Agent Vault keeps the secret elsewhere and attaches it only when a request leaves the agent’s environment.
The announcement makes the point plainly. Agent Vault draws a trust boundary between the agent and the secret. Infisical calls this credential brokering: a separate layer holds the credential and injects it when the agent makes an outbound request, so the agent never sees the underlying secret.
That matters because agents are easy to manipulate. Infisical argues that prompt injection, poisoned documents, or malicious web pages can push an agent to leak anything it can read. That concern is no longer theoretical background noise. OWASP puts prompt injection first in its Top 10 for LLM Applications 2025, and its Top 10 for Agentic Applications 2026 opens with agent goal hijack. The pattern is the same in both cases: if an attacker can steer the agent, anything the agent can directly access becomes part of the attack surface.
That risk gets sharper as agents move closer to the browser and the personal computing surface. Agentic browsers from Comet and BrowserOS to Claude-linked browser agents expand the amount of sensitive state sitting within reach of an AI system. Personal assistants like OpenClaw, Hermes, and OpenJarvis push in the same direction. Once agents operate across email, calendars, shopping flows, developer tools, cloud dashboards, and active web sessions, credential leakage stops being a narrow implementation bug and starts looking like a broader access-control failure.
Recent supply-chain incidents have made that easier to picture. When credentials are exfiltrated, the damage often extends beyond the first compromised tool or pipeline. Attackers can use one stolen token, key, or session to pivot into adjacent systems, a pattern usually described as lateral movement. That is what turns a leaked credential into a larger operational problem: access spreads, trust boundaries collapse, and a local compromise becomes an organizational one.
Agent Vault tries to solve the problem at the network layer. It runs as a local forward proxy, usually through HTTPS_PROXY. The agent keeps using its normal APIs, CLIs, SDKs, or MCP tools, while Agent Vault matches the destination, injects the right credential, and forwards the request upstream. The repo also describes scoped sessions and request logs, which are meant to give teams one place to limit and inspect access.
It is still early. Infisical describes Agent Vault as experimental and says the project’s form factor, security, and ergonomics will change. Still, the pitch is easy to understand: stop handing secrets to agents, and broker access instead.