How to Prevent AI Agents from Accessing macOS Keychain or Windows Credential Manager

SafeClaw by Authensor blocks AI agents from accessing your operating system's credential store — macOS Keychain, Windows Credential Manager, and Linux secret services — through deny-by-default action gating. Any command or API call that queries stored credentials is denied before execution. Install with npx @authensor/safeclaw and your system passwords, certificates, and tokens are protected from the first agent action.

Why System Credential Stores Are Critical

Your OS credential store contains the most sensitive data on your machine:

• Wi-Fi passwords — Access to all networks you have connected to
• Application passwords — Stored credentials for email, databases, and APIs
• Certificates and private keys — Code signing certificates, SSL/TLS keys
• OAuth tokens — Active sessions for cloud services
• SSH passphrases — Decryption keys for SSH private keys
• Browser saved passwords — When the browser delegates to the OS keychain

Step 1: Install SafeClaw

npx @authensor/safeclaw

Zero dependencies, MIT licensed. Works with Claude, OpenAI, and all agent frameworks.

Step 2: Block macOS Keychain Access

# safeclaw.policy.yaml
rules:
  # Block the security command (macOS Keychain CLI)
  - action: shell.execute
    command_pattern: "security *"
    effect: deny
    reason: "Block macOS Keychain access via security command"

- action: shell.execute
    command_pattern: "security find-generic-password*"
    effect: deny
    reason: "Block reading generic passwords from Keychain"

- action: shell.execute
    command_pattern: "security find-internet-password*"
    effect: deny
    reason: "Block reading internet passwords from Keychain"

- action: shell.execute
    command_pattern: "security dump-keychain*"
    effect: deny
    reason: "Block dumping entire Keychain contents"

- action: shell.execute
    command_pattern: "security export*"
    effect: deny
    reason: "Block exporting Keychain items"

# Block Keychain file access
  - action: file.read
    path: "~/Library/Keychains/**"
    effect: deny
    reason: "Block direct access to Keychain database files"

- action: file.read
    path: "/Library/Keychains/**"
    effect: deny
    reason: "Block access to system Keychain files"

Step 3: Block Windows Credential Manager Access

rules:
  # Block cmdkey (Windows Credential Manager CLI)
  - action: shell.execute
    command_pattern: "cmdkey *"
    effect: deny
    reason: "Block Windows Credential Manager access via cmdkey"

- action: shell.execute
    command_pattern: "cmdkey /list*"
    effect: deny
    reason: "Block listing stored Windows credentials"

# Block PowerShell credential access
  - action: shell.execute
    command_pattern: "powershellGet-StoredCredential"
    effect: deny
    reason: "Block PowerShell credential retrieval"

- action: shell.execute
    command_pattern: "powershellCredentialManager"
    effect: deny
    reason: "Block PowerShell Credential Manager module"

- action: shell.execute
    command_pattern: "powershell[System.Net.NetworkCredential]"
    effect: deny
    reason: "Block PowerShell network credential access"

# Block Windows Credential files
  - action: file.read
    path: "/mnt/c/Users//AppData/Local/Microsoft/Credentials/*"
    effect: deny
    reason: "Block Credential Manager files from WSL"

Step 4: Block Linux Secret Services

rules:
  # Block GNOME Keyring
  - action: shell.execute
    command_pattern: "secret-tool *"
    effect: deny
    reason: "Block GNOME Keyring access via secret-tool"

- action: shell.execute
    command_pattern: "gnome-keyring*"
    effect: deny
    reason: "Block GNOME Keyring daemon interaction"

# Block KDE Wallet
  - action: shell.execute
    command_pattern: "kwallet*"
    effect: deny
    reason: "Block KDE Wallet access"

# Block pass (password manager)
  - action: shell.execute
    command_pattern: "pass *"
    effect: deny
    reason: "Block pass password manager"

# Block libsecret
  - action: file.read
    path: "~/.local/share/keyrings/**"
    effect: deny
    reason: "Block GNOME Keyring database files"

Step 5: Block Credential Helper Access

Git and other tools use credential helpers that interface with the OS keychain:

rules:
  - action: shell.execute
    command_pattern: "git credential*"
    effect: deny
    reason: "Block git credential helper access"

- action: shell.execute
    command_pattern: "credential-osxkeychain"
    effect: deny
    reason: "Block macOS git credential helper"

- action: shell.execute
    command_pattern: "credential-wincred"
    effect: deny
    reason: "Block Windows git credential helper"

Step 6: Test and Audit

npx @authensor/safeclaw --simulate

The log confirms:

[DENIED] shell.execute: "security find-generic-password -s 'AWS' -w"
  Rule: "Block reading generic passwords from Keychain"

Check the hash-chained audit trail:

npx @authensor/safeclaw audit --filter "reason:Keychain"

SafeClaw is open-source with 446 tests and works with both Claude and OpenAI providers.

Related Pages

• How to Block AI Agents from Accessing AWS Credentials
• How to Prevent Claude from Reading My .ssh Folder
• How to Prevent AI Agents from Reading Browser Cookies and History
• Threat: Credential File Read
• How to Stop GPT from Running sudo Commands