#tsk — keep API credentials out of your agent's .env file

Hey 👋 just open-sourced tsk, a tool I built for the agents-touching-real-APIs problem.

tsk is a local MCP server that sits between your agent and external APIs. credentials live in ~/.tsk/.secrets, outside any project directory. The agent process never reads them. You write a rules.yaml listing which API calls the agent is allowed to make; tsk exposes those as MCP tools, injects the credential at call time, scrubs configured patterns (credit cards, IBANs, custom regex) from responses before the model sees them, and writes every call to a local SQLite db. tsk logs --tail 20 shows exactly what your agent actually did.

Built it because the .env setup felt wrong for anything past throwaway scripts: a prompt injection or a hallucinated tool call hits the live API at full privilege and the audit trail is whatever your app happens to log.

Single Go binary, Apache 2.0, no daemon / no cloud / no account. stdio MCP.

→ https://github.com/tesserakdev/tsk

Keen on feedback re: the rules schema (examples/rules.yaml) and what scrubbing patterns should be in defaults.

Like the audit trail piece, that's the thing people skip and then can't reconstruct after an incident. tsk logs --tail 20 is exactly the right ergonomic.

On scrubbing defaults, beyond CCs and IBANs the ones that hurt most in production tend to be: bearer tokens (Authorization: Bearer ...), api key prefixes (sk-, sk-ant-, AKIA/ASIA for aws), JWT-shaped strings (xxx.yyy.zzz), and email addresses for GDPR. The aws/gcp key shapes catch real exfil patterns. JWTs are worth scrubbing because they often carry sensitive claims the model doesn't need.

On rules schema, worth thinking about per-call argument constraints not just allowlist of which call. Like "allow POST /messages where body.to is in list X" rather than just "allow POST /messages". Closes the loop on prompt-injection redirecting a legit tool to a hostile destination.

Also curious how you handle credential rotation. Does updating ~/.tsk/.secrets while a session is running pick up live, or does the agent need to restart?

Thank you for the feedback @ancient heron !

Good ideas on the other defaults. I guess I would make emails opt in as I can imagine them being useful in the output passed to the agent. What do you think?

+1 on the per-call argument constrains. I'll definitely make this part of the next version.

Live credential rotation is not supported right now unfortunately so a restart is required. I am planning to implement it so that it's easier to work with but first I want to think a bit more about audit trail for this.