ML Security PapersCapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution
Shutong Jin 1, Ruiyi Guo 2, Ray C. C. Cheung 1
Published on arXiv
2604.16762
Prompt Injection
OWASP LLM Top 10 — LLM01
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Key Finding
Reframes agent secret handling from direct credential exposure to non-exportable, policy-constrained action capabilities with broker enforcement
CapSeal
Novel technique introduced
Modern AI agents routinely depend on secrets such as API keys and SSH credentials, yet the dominant deployment model still exposes those secrets directly to the agent process through environment variables, local files, or forwarding sockets. This design fails against prompt injection, tool misuse, and model-controlled exfiltration because the agent can both use and reveal the same bearer credential. We present CapSeal, a capability-sealed secret mediation architecture that replaces direct secret access with constrained invocations through a local trusted broker. CapSeal combines capability issuance, schema-constrained HTTP execution, broker-executed SSH actions, anti-replay session binding, policy evaluation, and tamper-evident audit trails. We describe a Rust prototype integrated with an MCP-facing adapter, formulate conditional security goals for non-disclosure, constrained use, replay resistance, and auditability, and define an evaluation plan spanning prompt injection, tool misuse, and SSH abuse. The resulting system reframes secret handling for agentic systems from handing the model a key to granting the model a narrowly scoped, non-exportable action capability.
Key Contributions
- Capability-sealed secret mediation architecture that replaces direct credential access with broker-mediated, schema-constrained invocations
- Rust prototype with MCP adapter supporting HTTP and SSH capability types with session binding and anti-replay protection
- Evaluation methodology spanning prompt injection, tool misuse, and SSH abuse with tamper-evident audit trails