CapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution

TL;DR

CapSeal introduces a secure architecture for AI agents that mediates secret access through constrained, tamper-evident interactions, enhancing security against exfiltration and misuse.

Contribution

This paper presents CapSeal, a novel capability-based secret mediation system that replaces direct secret access with constrained, auditable actions for AI agents.

Findings

Prototype implemented in Rust with MCP adapter

Formulated security goals including non-disclosure and replay resistance

Evaluation plan covers prompt injection, tool misuse, and SSH abuse

Abstract

Modern AI agents routinely depend on secrets such as API keys and SSH credentials, yet the dominant deployment model still exposes those secrets directly to the agent process through environment variables, local files, or forwarding sockets. This design fails against prompt injection, tool misuse, and model-controlled exfiltration because the agent can both use and reveal the same bearer credential. We present CapSeal, a capability-sealed secret mediation architecture that replaces direct secret access with constrained invocations through a local trusted broker. CapSeal combines capability issuance, schema-constrained HTTP execution, broker-executed SSH actions, anti-replay session binding, policy evaluation, and tamper-evident audit trails. We describe a Rust prototype integrated with an MCP-facing adapter, formulate conditional security goals for non-disclosure, constrained use, replay resistance, and auditability, and define an evaluation plan spanning prompt injection, tool misuse, and SSH abuse. The resulting system reframes secret handling for agentic systems from handing the model a key to granting the model a narrowly scoped, non-exportable action capability.