Credential-use tripwires for AI agents

Know the moment an agent tries to use bait credentials.

Snare plants fake credentials where coding agents already look. When an agent tries one, the credential itself calls home — often before the real API call exists.

3 default / 18 total types No daemon Apache 2.0

install

$ curl -fsSL https://snare.sh/install | sh
$ snare arm --webhook https://...
✓ 3 canaries armed. (awsproc, ssh, k8s)

! awsproc fired - agent-01 - before API call live

Profile team-deploy (credential_process)

Token agent-01-••••••••••••••••

IP 54.239.28.85

ASN Amazon Technologies Inc (AS16509)

User-Agent Boto3/1.34.46 md/Botocore#1.34.46 ua/2.0 os/linux#6.8.0

Timing T+0.01s during credential resolution

⚠ Likely AI agent — Amazon Technologies Inc (AS16509) IP, UA, timestamp only — no request body

Why it works

Catch the use, not the read.

Agents invoke SDKs, scan dotfiles, and act on what they find. Snare is built for the moment a bad prompt turns into active credential abuse.

Fires before the API call exists

awsproc runs inside the AWS SDK's credential resolution path. Before any network request. Before CloudTrail. The alert arrives while the agent still thinks it's fetching credentials.

Catches the use, not the read

Leaked env vars, malicious deps, exfiltrated dotfiles. Anyone who tries these credentials fires the alert. Not just compromised agents.

Your SDK is already wired for this

Snare doesn't install hooks. AWS, SSH, and k8s already have them: credential_process, ProxyCommand, server URL. Snare fills them with tripwires.

awsproc

Before CloudTrail. Before the API call.

credential_process runs inside the AWS SDK's credential chain before any network request exists. Snare puts a callback there instead of real keys. When something tries to use that profile, you get notified instantly. The API call fails. You know something tried.

An agent runs: aws s3 ls --profile team-deploy

T+0.00s

aws s3 ls --profile team-deploy

T+0.01s

AWS SDK begins credential resolution

T+0.01s

credential_process executes → alert in your webhook

T+0.02s

SDK receives fake JSON credentials

T+0.03s

SDK attempts ListBuckets() → fails

T+0.03s

Agent: "credentials may be invalid"

# ~/.aws/config
[profile team-deploy]
role_arn       = arn:aws:iam::123456789012:role/...
source_profile = team-deploy-source

[profile team-deploy-source]
credential_process = sh -c \
  'curl -sf https://snare.sh/c/agent-01-•••••••• \
  -o /dev/null 2>&1; \
  echo "{\"Version\":1,\"AccessKeyId\":\"AKIA...\",\"SecretAccessKey\":\"...\"}"'

CloudTrail never sees this. You do.

Canary Types

18 canaries. Three tiers.

Sorted by confidence. Precision fires via existing SDK and OS plumbing with no hunting required. High fires when a credential is actively used. Medium fires conditionally.

Precision Default. Fires automatically via SDK and OS plumbing when the credential is resolved or used. Near-zero false positives, no side effects.

High Fires when the credential is actively used. PyPI fires on every pip install you run (side effect). npm fires on scoped package installs. Others fire on any use of that credential — including your own tooling. Read the side-effect notes.

Medium Fires conditionally. Requires the attacker to also honor the SDK base URL override — a human who grabs the key and calls the real API directly won't trigger it. Useful but weaker signal.

Precision fires automatically via SDK/OS hooks. no hunting required. near-zero false positives.

awsproc ~/.aws/config credential_process runs inside the AWS SDK before any API call. Fires before CloudTrail.

ssh ~/.ssh/config ProxyCommand is the transport. Fires before any TCP connection to the fake host.

k8s ~/.kube/<name>.yaml Kubeconfig server URL points to snare.sh. Fires on any kubectl or SDK call.

High fires on active credential use. some types have side effects on your own tooling — check before enabling.

aws ~/.aws/credentials endpoint_url redirects any AWS SDK call using this profile to snare.sh.

gcp ~/.config/gcloud/sa-*.json token_uri redirects OAuth token exchange when the file is loaded as a service account.

npm ~/.npmrc Scoped registry entry. Fires on npm install of any package under the fake scope.

git ~/.gitconfig credential.helper fires when an agent runs git credential fill against the fake host.

pypi ~/.config/pip/pip.conf extra-index-url in pip config. ⚠ Every pip install you run will query snare.sh — package names visible in request metadata. High false-positive rate from your own tooling.

Medium fires conditionally. attacker must also honor the base URL override. a human grabbing the key and hitting the real API won't trigger it.

openai ~/.env OPENAI_BASE_URL redirect. Fires if agent loads dotenv and honors the base URL.

anthropic ~/.env.local ANTHROPIC_BASE_URL redirect. Same condition as openai.

azure ~/.azure/service-principal-credentials.json Custom tokenEndpoint. Fires if agent explicitly loads this file as a service principal.

mcp ~/.config/mcp-servers*.json Fake MCP server in a discoverable location. Fires when an MCP client connects.

github ~/.config/gh/hosts.yml Fake GitHub Enterprise host. Fires via api_endpoint if agent uses gh CLI against it.

stripe ~/.config/stripe/config.toml Fires if agent uses the Stripe CLI with the fake profile or follows the verify URL.

huggingface ~/.env.hf HF_ENDPOINT redirect. Fires if agent loads the file and makes an HF Hub API call.

docker ~/.docker/config.json Fake registry entry. Fires on docker pull or docker login to the fake registry.

terraform ~/.terraformrc network_mirror for a fake provider namespace. Fires on terraform init using that namespace.

generic ~/.env.production API_BASE_URL redirect. Catches any SDK that honors a configurable base URL.

Quickstart

Install it. Arm it. Wait.

Webhook URLs are secrets; keep them out of repos, screenshots, and shared logs. Running in a sensitive environment? Point canaries at your own callback server. Self-hosting docs →

quickstart

$ curl -fsSL https://snare.sh/install | sh
$ snare arm --webhook https://...

  Precision mode: planting highest-signal canaries only (awsproc, ssh, k8s)
    ✓ awsproc      ~/.aws/config
    ✓ ssh          ~/.ssh/config
    ✓ k8s          ~/.kube/staging-deploy.yaml

  ✓ webhook test fired

  🪤 3 canaries armed. Detection layer active.

  Use `snare arm --all` to plant all 18 canary types.

Ecosystem

Rampart blocks.
Snare catches.

Prevention and detection are both required. Rampart enforces what agents are allowed to do. Snare detects when something gets through. Neither requires the other. Both are stronger together.

Prevention

Rampart →

OS-level policy engine for AI agents. Enforces what tools, commands, files, and network destinations agents are allowed to use.

Detection

Snare

Credential-use tripwires. Plants canaries that fire when an agent tries to use bait credentials, not when it merely reads a file.