
The 3-line output sanitiser I add to every LangGraph agent now
I was testing a LangGraph agent with file access tools and realized — if someone asks
it to read .env, it outputs every API key in plain text.
Looked into it. OWASP ranked Sensitive Information Disclosure #2 on their LLM Top 10
(2025). LangChain itself had a CVE last year (CVE-2025-68664) for env var exfiltration.
My fix — 3 lines that scan every agent response before it reaches the user:
import re
SECRETS = re.compile(r'(sk-|AKIA|ghp_)\S+')
def sanitize(text): return SECRETS.sub('[REDACTED]', text)
Catches OpenAI (sk-/sk-proj-), AWS (AKIA), and GitHub (ghp_) key patterns.
Not exhaustive — production needs Stripe, Slack, Anthropic patterns too — but
it's a starting point most tutorials skip entirely.
Made a 30-second video walkthrough: https://www.youtube.com/@CodeAgents_ai
What output sanitization patterns are you using in your agents? Curious if anyone
has a more comprehensive approach.