diff --git a/home/modules/ai-tools/default.nix b/home/modules/ai-tools/default.nix
index 973c4b7..9f0f465 100644
--- a/home/modules/ai-tools/default.nix
+++ b/home/modules/ai-tools/default.nix
@@ -90,6 +90,17 @@ in
           external_directory = {
             "/run/secrets/" = "deny";
             "~/.config/sops/age/keys.txt" = "deny";
+            "~/.ssh/id_rsa" = "deny";
+            "~/.ssh/id_ed25519" = "deny";
+            "~/.ssh/id_ecdsa" = "deny";
+            "~/.ssh/id_dsa" = "deny";
+            "/etc/ssh/ssh_host_rsa_key" = "deny";
+            "/etc/ssh/ssh_host_ed25519_key" = "deny";
+            "/etc/ssh/ssh_host_ecdsa_key" = "deny";
+            "/etc/ssh/ssh_host_dsa_key" = "deny";
+          };
+          command = {
+            sops = "deny";
           };
         };
         plugin = [ "@mohak34/opencode-notifier@latest" ];