English

CapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution

Cryptography and Security 2026-04-21 v1 Artificial Intelligence

Abstract

Modern AI agents routinely depend on secrets such as API keys and SSH credentials, yet the dominant deployment model still exposes those secrets directly to the agent process through environment variables, local files, or forwarding sockets. This design fails against prompt injection, tool misuse, and model-controlled exfiltration because the agent can both use and reveal the same bearer credential. We present CapSeal, a capability-sealed secret mediation architecture that replaces direct secret access with constrained invocations through a local trusted broker. CapSeal combines capability issuance, schema-constrained HTTP execution, broker-executed SSH actions, anti-replay session binding, policy evaluation, and tamper-evident audit trails. We describe a Rust prototype integrated with an MCP-facing adapter, formulate conditional security goals for non-disclosure, constrained use, replay resistance, and auditability, and define an evaluation plan spanning prompt injection, tool misuse, and SSH abuse. The resulting system reframes secret handling for agentic systems from handing the model a key to granting the model a narrowly scoped, non-exportable action capability.

Keywords

Cite

@article{arxiv.2604.16762,
  title  = {CapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution},
  author = {Shutong Jin and Ruiyi Guo and Ray C. C. Cheung},
  journal= {arXiv preprint arXiv:2604.16762},
  year   = {2026}
}

Comments

11 pages, 5 figures. Research preprint on secure secret mediation for agent systems

R2 v1 2026-07-01T12:15:37.127Z