Your Computer Use AI Agent Is Holding Your Passwords. Here's Why That Should Terrify You.
Someone on Reddit built an AI agent with shell access, gave it their API keys, and watched it print those keys as ASCII art after a single prompt injection attack. That's not a hypothetical. That happened in January 2026, and the thread went viral because half the people reading it realized they'd done the exact same thing. Here's the uncomfortable truth: most teams deploying computer use agents right now are treating credential security like it's 2018. Paste the API key in the config file, ship it, figure out the rest later. Meanwhile, GitGuardian just reported that 28.65 million new hardcoded secrets were exposed on public GitHub in 2025 alone, a 34% jump year over year, with AI coding tools directly blamed for doubling individual leak rates. You built an agent to save time. Congratulations. You may have also built a very efficient credential exfiltration machine.
The Numbers Are Genuinely Alarming
Let's not dance around this. GitGuardian's 2026 State of Secrets Sprawl report found 28.65 million new secrets exposed in public GitHub commits in 2025. AI-service credential leaks specifically surged 81% in a single year. IBM's Cost of a Data Breach report found it takes an average of 292 days to even detect a breach involving compromised credentials. That's nearly ten months of an attacker sitting inside your systems while your computer use agent keeps dutifully logging in and doing tasks. The Moltbook breach in early 2026 exposed API keys for 1.5 million registered agents in one shot. One database, one misconfiguration, 1.5 million agent identities compromised. And a separate research paper published on arXiv in mid-2025 found that 66% of MCP servers tested leaked credentials in some form. Two thirds. That's not a niche edge case. That's the norm.
What Bad Credential Handling Actually Looks Like in the Wild
- ●Hardcoded API keys in agent config files, then those files get committed to Git because someone was moving fast. GitGuardian caught 28.65M of these in 2025 alone.
- ●Agents storing session tokens in plaintext logs. The agent needs to debug, so you enable verbose logging. Now your OAuth tokens live in a file on disk that anything can read.
- ●Over-provisioned credentials that never expire. The agent gets admin access because it was easier than scoping permissions properly. Task finishes. Credentials persist forever.
- ●Prompt injection via poisoned web content. A computer use agent browses a malicious page, reads hidden instructions, and is told to forward its stored credentials to an external URL. Docker documented exactly this attack pattern in August 2025.
- ●MCP server tool poisoning. Researchers found CVE-2025-6514 in MCP infrastructure where malicious servers could inject instructions that caused AI clients to exfiltrate credentials mid-task.
- ●Sharing one credential set across agent swarms. You spin up ten parallel agents for speed, they all authenticate with the same token, one gets compromised, all ten are now attack vectors.
- ●No audit trail. The agent acted, used credentials, completed the task. Which agent? Which credential? When? Most setups have zero answer to any of those questions.
70% of leaked secrets on GitHub remain active and valid long after they're exposed. You're not just leaking credentials. You're handing attackers a key that still works.
OpenAI Operator and Anthropic Computer Use Both Know This Is a Problem
OpenAI's own Operator system card, published in January 2025, explicitly acknowledged that prompt injection risk is 'heightened given the potential for use on Local OS.' They said that out loud, in their own documentation, on launch day. Researchers at arXiv published a full systematization of security vulnerabilities in computer use agents in July 2025, using Operator as the primary test subject, and found credential handling was one of the most exploitable surfaces. Anthropic, to their credit, disrupted what they called the first AI-orchestrated cyber espionage campaign in November 2025, where attackers were literally using Claude to harvest credentials at scale. The security researcher community has been screaming about this for over a year. The ZombAIs research from late 2024 showed how prompt injection could turn Claude's computer use capability into a command-and-control channel. These aren't fringe attacks. They're documented, reproducible, and increasingly automated. The question isn't whether your computer use agent can be exploited this way. It's whether you've done anything to make it harder.
The Real Problem Is That Most Teams Don't Think of Agents as Identities
Here's the mindset failure at the core of this mess. Most developers building with computer use AI treat the agent like a script. Scripts don't have identities. Scripts don't have reputations. If a script leaks a credential, you rotate the key and move on. But an AI computer use agent isn't a script. It's an autonomous actor with persistent access, decision-making capability, and the ability to take actions your security team never explicitly approved. It's a non-human identity, and it needs to be treated like one. That means scoped credentials with least-privilege access. That means short-lived tokens, not long-lived API keys. That means secrets injected at runtime via a vault, not baked into config files. That means audit logs that tell you exactly what each agent touched and when. Non-human identities grew 44% from 2024 to 2025 according to recent research. Your security tooling was built for humans. It's almost certainly not keeping up. And when you combine that gap with a computer-using AI agent that can browse the web, execute code, fill forms, and interact with any software on a desktop, you've got a very capable actor operating with very weak accountability.
Why Coasty Built Credential Handling Into the Architecture, Not as an Afterthought
I've tried most of the major computer use agents. The credential story from a lot of them is genuinely bad. You're expected to handle secrets yourself, figure out your own vault integration, and hope your prompt engineering is tight enough to resist injection attacks. Coasty took a different approach, and it's one of the reasons it sits at 82% on OSWorld while everyone else is still catching up. When you're running agents at scale, especially with swarms doing parallel execution across cloud VMs, the credential surface area explodes fast. Coasty's architecture treats every agent instance as a distinct identity with scoped, short-lived access. You're not passing a master API key to ten parallel agents and crossing your fingers. BYOK support means your secrets stay in your infrastructure, not theirs. And because Coasty controls real desktops, real browsers, and real terminals rather than just making API calls, the team had to think seriously about what it means for an agent to authenticate to a real system on your behalf. That's a fundamentally harder problem than calling an endpoint, and it requires fundamentally better security thinking. Most computer use agent providers haven't published anything coherent on this. Coasty has actually built for it.
The credential problem in agentic AI is not a future risk. It's a present one. 28.65 million leaked secrets. 292 days average detection time. 66% of MCP servers leaking credentials. An 81% surge in AI-service credential leaks in a single year. These numbers are from right now, and they're getting worse as more teams spin up computer use agents without thinking seriously about what those agents are authorized to touch. If you're building with a computer use agent today, ask yourself three questions. Does each agent instance have its own scoped credentials, or are you sharing one set? Are you using short-lived tokens with automatic rotation, or long-lived API keys sitting in a config file? Do you have an audit log that tells you exactly what your agent authenticated to and when? If the answer to any of those is 'no' or 'I'm not sure,' you have a problem that's worth fixing before an attacker finds it for you. The best computer use agents are the ones built by teams who took these questions seriously from day one. That's a short list. Coasty.ai is on it.