It is important to manage your secrets (env variables) properly. The most common way people expose their secrets to the outside world is by hard-coding their secrets in their
app.py files directly, which makes it possible for a malicious user to utilize your secrets and services your secrets have access to.
For example, this is what a compromised
app.py file might look like:
import numpy as np import scipy as sp api_key = "sw-xyz1234567891213" def call_inference(prompt: str) -> str: result = call_api(prompt, api_key) return result
To prevent this issue, we run an automated bot (Spaces Secrets Scanner) that scans for hard-coded secrets and opens a discussion (in case hard-coded secrets are found) about the exposed secrets & how to handle this problem.