AI Tools: Keep Secrets Out of Prompts, Logs, and Vendor Telemetry

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-tools-secret-handling-in-ai-tools-r8a1-creators

1. Which configuration setting prevents an AI tool from reading sensitive environment variables stored in a .env file?

   1. Disabling syntax highlighting in the editor
   2. Adding credential file paths to an ignore list
   3. Setting the tool to read-only mode
   4. Enabling verbose logging for all API calls

2. A developer notices their API key appeared in an AI tool's conversation history. What is the correct immediate response according to best practices?

   1. Wait to see if the vendor reports a data breach
   2. Treat the key as compromised and rotate it immediately
   3. Edit the conversation to remove the key
   4. Assume the key is safe since the vendor promised not to train on it

3. What does the term 'telemetry opt-out' refer to in the context of AI tool configuration?

   1. Choosing not to share your code with the AI vendor
   2. Opting out of automatic code completion suggestions
   3. Refusing to receive automated bug fix updates
   4. Disabling the collection and transmission of usage data to the vendor

4. Why can AI tools NOT replace dedicated secret-scanning tools in a security pipeline?

   1. AI tools are too expensive for scanning
   2. AI tools focus on text understanding, not comprehensive security scanning across all file types
   3. Secret scanners use machine learning while AI tools use rules-based detection
   4. Secret scanners check for credentials in compiled binaries, which AI cannot read

5. A vendor claims their platform will never use your prompts for training data. What limitation should you understand about such promises?

   1. The promise only applies to paid tier users
   2. The vendor must delete your data within 24 hours upon request
   3. Such promises are not contractually binding and you cannot enforce them
   4. The vendor is legally required to honor this promise indefinitely

6. What is the purpose of a 'keys-do-not-train' setting offered by some AI vendors?

   1. To encrypt API keys stored in the tool's memory
   2. To hide API keys from other users in shared workspaces
   3. To prevent submitted API keys from being used in the vendor's model training
   4. To automatically generate new keys when old ones expire

7. If you accidentally paste an API key into an AI coding assistant's prompt, what should you do with that key afterward?

   1. Rotate the key and add the credential path to your ignore list
   2. Leave it as-is since it wasn't submitted, only pasted
   3. Change the key's permissions to read-only
   4. Delete the conversation and continue using the key

8. What can AI tools definitively NOT do after sensitive data has been sent to a vendor's servers?

   1. Delete or recall the data from the vendor's systems
   2. Remember that the data was ever sent
   3. Determine if the vendor is trustworthy
   4. Detect if the data was actually used for training

9. A developer configures their AI tool to disable telemetry. What risk is this addressing?

   1. The tool could consume too much memory
   2. Usage data containing prompts and context might be transmitted to the vendor
   3. The tool might crash unexpectedly
   4. The AI model might generate incorrect code

10. Why is key rotation considered necessary even when a vendor claims not to train on prompt data?

    1. The vendor might change their policy without notice
    2. Keys lose effectiveness after 90 days regardless of exposure
    3. Any key that entered a prompt should be treated as potentially compromised
    4. Vendors can still experience data breaches exposing your key

11. What does it mean to 'list your AI tools and configs' as recommended in the lesson?

    1. Share your config files with other team members
    2. Submit your configurations to the vendor for approval
    3. Create a personal inventory of each AI tool you use and its security-related settings
    4. Publish your tool list on a public website

12. Which scenario represents the greatest risk of secret exposure when using AI tools?

    1. Disabling telemetry on all tools
    2. Using only open-source AI models
    3. Writing code without using any AI tools
    4. Using an AI tool without configuring any ignore lists

13. The lesson describes AI tools as 'vacuum cleaners for context.' What does this metaphor imply about AI tool behavior?

    1. AI tools clean up messy code automatically
    2. AI tools ingest and process whatever context is available, including sensitive files if not explicitly prevented
    3. AI tools remove malware from your system
    4. AI tools organize project files into clean directories

14. You discover that a vendor has suffered a data breach and your API key may have been exposed. What should you do?

    1. Assume the key is safe because it was only in one prompt
    2. Wait for the vendor to notify you before taking action
    3. Immediately rotate the key and investigate your tool configurations
    4. Check if the vendor has a keys-do-not-train setting

15. When configuring AI tools for a company with strict security policies, which action should take priority?

    1. Subscribing to vendor security newsletters
    2. Training team members on prompt engineering
    3. Installing the latest version of each tool
    4. Adding all credential paths to ignore lists and disabling telemetry where policy requires