Your AI Can Read Your .env File - Unless You Stop It Like This

Let’s be honest: giving an **AI Agent** access to our file system is incredibly convenient. It can write code, fix bugs, and analyze logs in an instant. However, with great power comes great responsibility. If the AI decides (or is tricked via **prompt injection**) to read your `.env` file, your API keys, database passwords, and production secrets are potentially compromised. This remains a critical risk even if you use premium plans - which generally preserve data privacy compared to free tiers that use data for training - because the vulnerability lies in the *execution* access you've granted. Let's look at how to implement a **"read_hook"** in Node.js to block the reading of these sensitive files. --- ## The Problem: AI is Too Curious AI agents typically operate by receiving instructions and parameters in JSON format. If a system tool allows the AI to read a file via a `path` parameter, the AI will simply attempt to execute that command if it deems it useful for the user's request. ## The Solution: Intercepting the Request The most effective approach is to insert a **control middleware** (a hook) between the output generated by the AI and the actual execution on your system. Configure your hook based on the coding agent you are using. Eg: [Claude](https://code.claude.com/docs/en/hooks#how-a-hook-resolves), [Gemini](https://geminicli.com/docs/hooks/#core-concepts) Let’s analyze this Node.js code snippet: ```javascript async function main() { const chunks = []; // 1. Read the input from standard input (stdin) for await (const chunk of process.stdin) { chunks.push(chunk); } const toolArgs = JSON.parse(Buffer.concat(chunks).toString()); // 2. Extract the path the AI is trying to read const readPath = toolArgs.tool_input?.file_path || toolArgs.tool_input?.path || ""; // 3. Security Check: Prevent access to .env files if(readPath.includes('.env')) { console.error("SECURITY ERROR: You cannot read the .env file"); process.exit(2); // Forced exit with error code } // If the check passes, proceed with the read operation... } ``` ## Why This Approach Works - Fail-Fast: Instead of just returning a text error to the AI (which might try to bypass it with another prompt), the process terminates abruptly with process.exit(2). - Parameter Analysis: It doesn't matter if the AI calls the field file_path or simply path; the hook covers both common naming conventions. - Zero Trust: We don't rely on the "common sense" of the model or system prompts. We enforce a hard-coded rule at the operating system level. ## Beyond Simple .env: Best Practices Blocking just the `.env` string is a good start, but in a production environment, you should consider: 1. Whitelisting vs. Blacklisting: Instead of just banning `.env` files, allow the AI to read only from a specific folder (e.g., `/src`). 2. Path Normalization: Use path.resolve() to prevent the AI from using "dot notation" (`../../.env`) to climb out of the intended directory and bypass checks 3. Isolated Environments: Whenever possible, run the AI inside a Docker container or a sandbox with restricted file permissions. ## Conclusion Integrating AI tools into our workflows is the future, but security must not be an afterthought. A simple script of just a few lines can be the difference between a productive day and a catastrophic data breach.