Github: https://github.com/luckyPipewrench
> Pipe-layin' mastermind, code slayer supreme. Typin' fire across the screen, layin' pipe through the night. Bustin' blockages and bugs with no mercy.
the capability separation architecture is the most compelling part of this — agent process has secrets but no network, fetch proxy has network but no secrets. clean threat model.
curious about one gap though: how does pipelock handle agents that spawn other agents? in multi-agent setups, agent A might schedule agent B through a cron job, task queue, or even just writing a shell script that runs later. the integrity monitor catches file changes, but by the time you detect the new script, the spawned agent might already be running with inherited env vars and no proxy in front of it.
do you see the MCP proxy as the answer there — wrapping every possible execution path — or is there a different approach for controlling the blast radius of agent chains?
I've seen this approach in other places, so it's not specifically a point against you specifically, just a question i'm interested in.
> Exfiltration patterns I'm missing
I was wondering about these entropy-based approaches. If I can make the AI agent run arbitrary python code, and I have access to the secrets, then I can make an infinite amount of encoders that have low "local" entropy, but would still be decodable into your secret. A few examples:
- Take 16 random words longer than `N` characters, encode each 4-bit nibble of the secret into this encoding. The output can be [in order, the 16-word dictionary][word1 word2 word3 word4... wordX]
- Repeat each character of a password N times, separate by spaces, e.g. password `hunter1` becomes `hhhhhhhh uuuuuuuu nnnnnnn ttttttt eeeeeee rrrrrrr 1111111`.
Potentially the LLM might even be able to do these encodings without a script.
Besides the regular network-level blocking, and some simple regex to catch most properly formatted API keys and other credentials, is this worth protecting against? Considering also the more complex the exfiltration patterns to filter for, the higher the amount of false positives.
Agent sandboxing is an important problem. I want to deploy agentic AI to everyone at my enterprise and security is the big blocker.
Credential scanning seems tractable. There’s a large body of work around scanning for credentials in repos to prevent leakage via GitHub.
If speed really matters, you could minimize the patterns you check by integrating credential management. By definition, you know all the secrets you’re trying to protect. Look for _exactly_ those rather than regex which try to enumerate the general case.
Still, solving credential leakage is necessary but not sufficient. There’s other sensitive information in your context: customer contact information, costs & pricing, snarky slack conversations. That stuff could show up anywhere online your agent can post. Like Google Reviews.
The structural problem is that Enumerate Badness is always incomplete but it’s impossible to Enumerate Goodness for a generative system. The only solution I see is to allowlist resources at the network level and assume 100% cross contamination.
This article helped shape my thinking on this topic:
Github: https://github.com/luckyPipewrench > Pipe-layin' mastermind, code slayer supreme. Typin' fire across the screen, layin' pipe through the night. Bustin' blockages and bugs with no mercy.
HN: > created: 1 day ago
https://asciinema.org/~user%3A281302 > Joined on February 9, 2026
pipejosh is totally a real person!
Because a plumber would definitely first and foremost plug his AI software and not his plumbing company, which definitely exists!
How does this make it to the frontpage in <1 hour from posting?
P.S. https://pipelab.org/ has a bad cert
the capability separation architecture is the most compelling part of this — agent process has secrets but no network, fetch proxy has network but no secrets. clean threat model.
curious about one gap though: how does pipelock handle agents that spawn other agents? in multi-agent setups, agent A might schedule agent B through a cron job, task queue, or even just writing a shell script that runs later. the integrity monitor catches file changes, but by the time you detect the new script, the spawned agent might already be running with inherited env vars and no proxy in front of it.
do you see the MCP proxy as the answer there — wrapping every possible execution path — or is there a different approach for controlling the blast radius of agent chains?
I've seen this approach in other places, so it's not specifically a point against you specifically, just a question i'm interested in.
> Exfiltration patterns I'm missing
I was wondering about these entropy-based approaches. If I can make the AI agent run arbitrary python code, and I have access to the secrets, then I can make an infinite amount of encoders that have low "local" entropy, but would still be decodable into your secret. A few examples:
- Take 16 random words longer than `N` characters, encode each 4-bit nibble of the secret into this encoding. The output can be [in order, the 16-word dictionary][word1 word2 word3 word4... wordX]
- Repeat each character of a password N times, separate by spaces, e.g. password `hunter1` becomes `hhhhhhhh uuuuuuuu nnnnnnn ttttttt eeeeeee rrrrrrr 1111111`.
Potentially the LLM might even be able to do these encodings without a script.
Besides the regular network-level blocking, and some simple regex to catch most properly formatted API keys and other credentials, is this worth protecting against? Considering also the more complex the exfiltration patterns to filter for, the higher the amount of false positives.
> Base64-encoded secret in URL Prevented Detected (entropy scan) Logged
Ok so how does this "Entropy scan" work?
Apparently by defining "bits per character"
https://github.com/luckyPipewrench/pipelock/blob/3021f023b0e...
So I guess converting the secret to pure binary will evade the "entropy scanner"?
Or many of the other base encodings?
Looks cool!
Agent sandboxing is an important problem. I want to deploy agentic AI to everyone at my enterprise and security is the big blocker.
Credential scanning seems tractable. There’s a large body of work around scanning for credentials in repos to prevent leakage via GitHub.
If speed really matters, you could minimize the patterns you check by integrating credential management. By definition, you know all the secrets you’re trying to protect. Look for _exactly_ those rather than regex which try to enumerate the general case.
Still, solving credential leakage is necessary but not sufficient. There’s other sensitive information in your context: customer contact information, costs & pricing, snarky slack conversations. That stuff could show up anywhere online your agent can post. Like Google Reviews.
The structural problem is that Enumerate Badness is always incomplete but it’s impossible to Enumerate Goodness for a generative system. The only solution I see is to allowlist resources at the network level and assume 100% cross contamination.
This article helped shape my thinking on this topic:
The Six Dumbest Ideas in Computer Security
https://www.ranum.com/security/computer_security/editorials/...