Running autonomous agents without exposing credentials directly

I’ve been spending a lot of time experimenting with agent workflows that need access to real services. Stripe test mode, internal APIs, automation systems, things like that.

One pattern kept making me uneasy.

Most setups hand credentials directly to the agent process and then rely on prompts, tool wrappers, or good behaviour to keep things under control. That works for demos. It starts feeling brittle pretty quickly once the workflows become more autonomous.

So I built tsk.

It’s a local-first MCP server that sits between an LLM agent and the APIs it interacts with. The idea is simple: the model shouldn’t have direct access to credentials in the first place.

Secrets live in ~/.tsk/.secrets, outside the project directory, and access is controlled through a rules.yaml allowlist that defines which API actions are actually permitted. tsk then exposes only those approved operations as MCP tools.

A few things happen at runtime:

• credentials get injected without being exposed to the agent itself
• sensitive values are scrubbed from responses before they reach the model
• tool-level rate limits are enforced
• every call is written to a local SQLite audit log

The main goal was separating policy enforcement from the model layer entirely.

A hallucinated tool call, prompt injection, or even a typo shouldn’t quietly trigger privileged API requests with full credentials attached. That became especially obvious while testing longer-running autonomous workflows.

I also wanted the setup to stay lightweight:

• single Go binary
• no daemon
• no cloud dependency
• no account system

It uses STDIO MCP, so it works with Claude Code, Claude Desktop, OpenClaw and other MCP-compatible agents.

Current features:

• HTTP tools
• bearer and header authentication
• per-tool rate limits
• scrubbing for emails, IBANs, credit cards, and custom regex patterns
• SQLite activity logging

Releases include SBOMs and SLSA attestations, and the installer can verify checksums and attestations automatically during install.

Install:

curl -fsSL https://tesserak.dev/install.sh | sh

or

go install github.com/tesserakdev/tsk/cmd/tsk@latest

Repo: https://github.com/tesserakdev/tsk

I’d genuinely appreciate feedback, especially around the rules.yaml structure and the default scrubbing behaviour. Feels like we’re still collectively figuring out what a practical security boundary for autonomous agents should actually look like.