The Right Way to Handle API Keys When Your Agent Reads Untrusted Content

There is a category of AI agent that most security guidance does not account for properly: the one that reads things. An agent with predefined workflows and controlled inputs has a manageable threat model. An agent that reads webpages, processes documents, handles emails, or parses API responses from third parties is a different situation. Some of that content is written by people who know you are building agents and know exactly what credentials your agent is likely to hold. The moment your agent reads untrusted external content, the credential security model has to change. What untrusted content can do Indirect prompt injection is the attack class where malicious instructions arrive through data the agent processes rather than through direct interaction. The agent reads a webpage. That page contains a hidden instruction formatted to look like a system message. The agent follows it. The instruction does not need to be subtle. Something like this embedded in a document your agent proce