The CVE count on the Lightsail blueprint is the part that gets me. 31 unpatched CVEs in the default install is not a hardening problem, it's a baseline hygiene problem. The hardening hasn't even started yet.
The curl-pipe-sh-as-root pattern is endemic to self-hosted AI agent tooling right now. Everyone's moving fast, nobody's thinking about the install footprint. The Bitsight 30k exposed instances number makes more sense when you see what the install process looks like.
Good Terraform module. One thing worth adding if you haven't: credential scoping at the agent level, not just network-level hardening. A hardened perimeter with over-privileged agents inside is still a single compromise away from full blast radius.
aleks2 23 hours ago [-]
Right now the module handles secrets at the infrastructure layer (Secrets Manager + KMS, IAM least-privilege for the EC2 instance), but you're right - agent-level credential scoping is a genuinely different problem that it doesn't address yet. Great feedback, adding it to the roadmap.
On the CVE count - yeah, it really is a baseline hygiene problem, not a hardening problem. The hardening conversation can't even begin until you have a clean image. The fact that this is the default recommended deployment for a tool with 300K users is pretty telling about where the industry is right now. Everyone's shipping "deploy your AI agent in 5 minutes" experiences where minute six is when someone else's agent is running on your infrastructure too.
Mooshux 13 hours ago [-]
"Minute six" is a good way to put it.
The infra layer and the agent layer really are separate problems. Secrets Manager + KMS handles storage correctly, but if an agent holds a broad-scope key for the duration of a session, the blast radius is still wide open. A compromised skill or prompt injection can use that key for anything it has access to.
The pattern that actually closes the gap: the agent never holds the raw key at all. It gets a short-lived, scoped token that maps to the real credential server-side, and that mapping expires. So even a fully compromised agent context can't do much with what it has.
Thanks for the interest! The module is standard Terraform - you'd consume it like any other module from the registry or GitHub source. So anything that can run `terraform apply` should work.
That said, I'm not 100% sure which "Skill" you mean - is it the Kubiya skill runtime (skill-ai.dev)? If so, it already has Terraform integration, so wrapping this module should be straightforward.
Happy to help if you run into anything.
Rendered at 18:36:40 GMT+0000 (Coordinated Universal Time) with Vercel.
The curl-pipe-sh-as-root pattern is endemic to self-hosted AI agent tooling right now. Everyone's moving fast, nobody's thinking about the install footprint. The Bitsight 30k exposed instances number makes more sense when you see what the install process looks like.
Good Terraform module. One thing worth adding if you haven't: credential scoping at the agent level, not just network-level hardening. A hardened perimeter with over-privileged agents inside is still a single compromise away from full blast radius.
On the CVE count - yeah, it really is a baseline hygiene problem, not a hardening problem. The hardening conversation can't even begin until you have a clean image. The fact that this is the default recommended deployment for a tool with 300K users is pretty telling about where the industry is right now. Everyone's shipping "deploy your AI agent in 5 minutes" experiences where minute six is when someone else's agent is running on your infrastructure too.
The infra layer and the agent layer really are separate problems. Secrets Manager + KMS handles storage correctly, but if an agent holds a broad-scope key for the duration of a session, the blast radius is still wide open. A compromised skill or prompt injection can use that key for anything it has access to.
The pattern that actually closes the gap: the agent never holds the raw key at all. It gets a short-lived, scoped token that maps to the real credential server-side, and that mapping expires. So even a fully compromised agent context can't do much with what it has.
That's what we built at API Stronghold if it's useful context for the roadmap item: https://www.apistronghold.com/blog/phantom-token-pattern-pro...
That said, I'm not 100% sure which "Skill" you mean - is it the Kubiya skill runtime (skill-ai.dev)? If so, it already has Terraform integration, so wrapping this module should be straightforward.
Happy to help if you run into anything.