Comment by siofra

This is exactly the problem I've been working on. We're building a fork of OpenClaw with credential isolation baked in — agents use fake tokens, a broker intercepts the request and injects the real credentials at the HTTP layer. The agent never sees the actual API key or secret.

The analogy that clicked for us was SQL prepared statements: you separate the query structure from the data. Same idea here — separate the command structure from the secrets.

It's called SEKS (Secure Execution Keyless System). Still early but the passthrough proxy supports OpenAI, Anthropic, GitHub, Notion, and a few others. Site is at seksbot.com and the code is at github.com/SEKSBot.