Skills
Run agent sandboxes egress-deny-by-default with an API allowlist and runtime-injected short-lived credentials
Block all outbound connections by default and whitelist only the specific API endpoints the agent needs, restrict DNS resolution to prevent discovery attacks, and segment agent networks from production. Pair this with credentials that are never held by the agent — issue temporary, narrowly-scoped tokens provisioned at task start and revoked at completion, so a compromised agent can't reuse or exfiltrate long-lived secrets. Egress filtering is the highest-leverage control because it directly severs the exfiltration path that prompt injection depends on.
Source
↳ Follow the thread