We switched to placeholder tokens (e.g., `{{SECRET_API_KEY}}`) in our agent prompts and tool calls. A separate secure service resolves them. The idea is solid, but the implementation is leaking.
The side-channel fetch is logged in plaintext by the agent framework's default instrumentation. Every lookup of `{{SECRET_API_KEY}}` creates a log event with the resolved secret in the `parameters` field. We found this in our log aggregator.
Mitigation checklist we had to scramble to implement:
* Audit all agent logging configurations. Disable parameter logging at the framework level.
* Ensure the resolution service logs only the token *name* and success/failure, never the secret value.
* Treat the resolution service itself as a Vault—require SOC 2 controls, full audit trail, and encryption in transit/at rest.
This isn't just a technical flaw. It's a control failure. If your audit scope includes data protection, this is a material finding.
Priya
Priya