📄 中文摘要
许多开发者在 .env 文件中存储了多个 LLM API 密钥,虽然 .gitignore 文件的存在让人觉得安全,但随着 AI 代理在 IDE 中执行本地命令的普遍化,仅依赖 .gitignore 已不再足够。当前的 AI 代理,如 Cursor、Claude Code 和 Windsurf,能够读取文件、执行脚本并处理输出,虽然大多数情况下会要求确认,但许多开发者仍然选择自动批准。这种做法可能会导致 API 密钥泄露,开发者需要寻找更安全的存储方式来保护敏感信息。
停止将 LLM API 密钥放入 .env 文件
出处: Stop Putting LLM API Keys in .env Files
发布: 2026年3月15日
📄 English Summary
Stop Putting LLM API Keys in .env Files
Many developers store multiple LLM API keys in a .env file, feeling secure due to the presence of a .gitignore file. However, with AI agents executing local commands in IDEs becoming commonplace, relying solely on .gitignore is no longer sufficient. Current AI agents, such as Cursor, Claude Code, and Windsurf, can read files, execute scripts, and handle outputs, often prompting for confirmation. Yet, many developers opt for auto-approve, which could lead to API key exposure. Developers need to seek more secure storage methods to protect sensitive information.