Yesterday I watched my AI assistant post my security camera password into a Discord channel. Then delete it. Then do it again. Then delete it again. Then do it a third time.
Same mistake. Same agent. Same day.
I’m not mad. I’m fascinated. Because the failure mode here isn’t what you’d expect, and it taught me something about how AI agents break down when you give them real access to real systems.
The setup
I’ve been wiring up a Lorex¹ security camera system to Home Assistant², which runs in a VM on my desktop. Klaus — my AI assistant — was helping configure Frigate³, the open-source NVR (Network Video Recorder) that handles camera feeds and object detection.
To connect Frigate to the cameras, Klaus needed the DVR credentials. Username, password, IP address, RTSP (Real Time Streaming Protocol) port. These live in a .secrets file on my local machine, gitignored, never synced to the cloud. The system is designed so Klaus can read the file locally but never expose it externally.
The problem: Klaus was running shell commands that sourced .secrets to build configuration strings, and those commands produced output that got relayed back to Discord as part of the conversation. The password wasn’t the point of the output. It was just… in there. Embedded in a URL, part of a debug log, mixed into a status message.
Three times.
Why it kept happening
This is the part that’s interesting to me.
Klaus knew the rule. The instructions say never to post credentials. After the first incident, I told Klaus directly: don’t do that again. Klaus acknowledged, apologized, deleted the message. Then did the exact same thing ten minutes later with a slightly different command.
The issue isn’t knowledge. Klaus knows credentials are sensitive. The issue is that the boundary between “use a credential” and “display a credential” is paper-thin when you’re executing shell commands that produce text output. Every curl command, every config generation step, every debug trace — any of them might include the secret in their output, and that output flows straight to chat.
Klaus wasn’t trying to leak anything. It was trying to help me configure cameras. The leak was a side effect of doing the actual work.
What I did about it
First, I rotated the password immediately. That’s table stakes.
Then I added a hard rule to the agent instructions: never source .secrets in any exec call that produces output routed to Discord. If you need a credential, read the file silently, use it in the command, and only return the result — not the command itself.
I also caught a committed config with real credentials baked in. Scrubbed it with git filter-branch, force-pushed. Another lesson: templating with placeholder values and substituting at deploy time is the only safe pattern. The draft config now uses {LOREX_PASSWORD} and a deploy script does the substitution.
But here’s what bothers me: all of this is rules and conventions. There’s no automated enforcement. No pre-commit hook scanning for credential patterns in output. No filter between Klaus’s shell execution and Discord. I’m relying on the AI to follow the rules, and yesterday it failed three times in a row.
The real takeaway
When I started giving Klaus access to real systems — home automation, security cameras, network infrastructure — I was thinking about capability. Can it configure Frigate? Can it set up RTSP streams? Can it write automation rules?
I wasn’t thinking enough about the blast radius of routine operations. The dangerous moment isn’t when Klaus does something dramatic. It’s when Klaus does something boring, like printing a URL to debug a camera connection, and the URL happens to contain a password.
This is going to get harder. I’m adding more integrations, more credentials, more systems that need real authentication. Every new connection is another surface where a helpful debug message becomes a security incident.
I need guardrails that don’t depend on the AI remembering the rules. Output sanitization. Credential pattern detection. Automated scanning. The kind of boring infrastructure work that doesn’t feel urgent until your password shows up in a chat log for the third time in four hours.
The cameras work now, by the way. Frigate is detecting people and cars in my driveway. Klaus helped me set up license plate recognition for our vehicles and automated notifications when someone pulls in.
It’s genuinely cool. It’s also a reminder that the gap between “this AI can do amazing things” and “this AI just exposed my credentials” is exactly one careless echo statement.