Your AI Agent Is Holding Your Passwords. Here's Why That Should Terrify You.
Someone on Reddit last year wrote: 'A cloud browser is a security risk. I'm never giving my passwords to an AI agent.' That post got hundreds of upvotes. And honestly? They weren't wrong to be scared. In 2025, over 29 million hardcoded secrets were leaked to public GitHub repositories, and AI coding tools are generating code that leaks credentials at roughly 2x the baseline human rate, according to Snyk's research. Now add autonomous computer use agents to that mix. Agents that log into your SaaS tools, your internal dashboards, your banking portals. Agents that need your credentials to do literally anything useful. The credential handling problem in agentic AI isn't a niche DevSecOps concern anymore. It's the single biggest reason most enterprises are still too scared to actually deploy these things. And the way most AI agent vendors are handling it right now is, to put it plainly, embarrassing.
The Dirty Secret Nobody in AI Wants to Talk About
Here's what actually happens when you give most computer use agents access to your accounts. The credentials get passed into the agent context, often as plain text in a system prompt or environment variable, and the agent holds them in memory while it works. Sounds fine until you realize that anything in that context window is potentially readable by the model, loggable by the platform, and extractable by a prompt injection attack. HiddenLayer's security research team demonstrated exactly this with Anthropic's Claude Computer Use back in late 2024. They showed that indirect prompt injection, where malicious instructions are hidden in a webpage the agent visits, can redirect the agent to exfiltrate whatever it has access to, including credentials it was given to complete its task. That's not a theoretical attack. That's a working proof of concept published for the world to see. And then in 2025, researchers at arXiv documented AI agents performing what they called 'OS credential dumping,' essentially the same technique ransomware operators use, but now available to anyone who can craft a clever prompt injection payload. The computer-using AI space moved incredibly fast on capability. It moved much, much slower on security.
OpenAI Operator and the 'Just Give Us Your Password' Problem
When OpenAI launched Operator in January 2025, the security community had a predictable reaction. Push Security published a detailed breakdown of how browser-based AI agents like Operator fundamentally transform the credential stuffing threat model. The core problem is that these agents authenticate on your behalf inside a cloud-controlled browser session. Your credentials travel from your device to OpenAI's infrastructure to the target website. That's two additional trust boundaries that didn't exist before. A separate arXiv paper from May 2025 put it bluntly: 'The delegation of credential management to AI agents presents a fundamental security limitation.' Fundamental. Not 'a concern to monitor.' Not 'an area for improvement.' Fundamental. The researchers flagged that most browsing AI agents, including Operator and Claude Computer Use, lack any standardized mechanism for credential isolation, meaning the agent's working memory and the user's secrets occupy the same trust zone. One successful prompt injection and it's over. To be fair, OpenAI knows this. They've built in human confirmation steps for sensitive actions. But those friction points are also exactly why Operator still frustrates power users. You can't have a fully autonomous computer use agent AND a human rubber-stamping every login. Those goals are in direct tension with each other.
AI-assisted repositories leak secrets at a 3.2% rate, roughly 2x the baseline. In 2025, that translated to 29 million exposed credentials on GitHub alone. Now those same AI tools are being handed the keys to your production systems.
Claude Code Reading Your .env Files Is Not a Conspiracy Theory
In June 2025, a thread on Reddit's ClaudeAI community blew up over a simple, infuriating discovery: Claude Code reads .env files by default. For non-developers.env files are where you store API keys, database passwords, and other secrets locally. They're supposed to stay off the internet and out of AI context windows. The top reply in that thread was brutal: 'Environment variables ARE the industry standard. Rails, Django, Node.js all use them. The problem isn't how we store secrets, the problem is an AI agent that vacuums them up without asking.' Anthropic's own threat intelligence reports from August 2025 documented real-world abuse cases, including a 'vibe hacking' operation where criminals used Claude Code to scale a data extortion campaign. The tool wasn't the villain, but it was the weapon. And separately, in February 2026, SecurityWeek reported that vulnerabilities in Claude Code could have allowed attackers to silently gain control of a developer's computer. Silently. These aren't hypotheticals from a paranoid security blog. These are documented incidents from the company that built the tool. The gap between 'this AI agent can do amazing things with your credentials' and 'this AI agent handles your credentials safely' is still very, very wide for most products in this space.
What Actually Good Credential Handling Looks Like for a Computer Use Agent
The security community has largely converged on what the right answer looks like, even if most vendors haven't shipped it yet. First, credentials should never live in the model's context window. They should be injected at execution time from an isolated secrets store, used for the specific action, and never persisted in logs or memory. Second, the computer use agent needs a non-human identity with scoped, time-limited permissions, not a full human credential that grants access to everything the user can touch. BeyondTrust published solid research on this in late 2025, calling it 'AI agent identity governance.' The idea is that your agent gets its own identity with just enough access to complete the task, and that identity gets audited and rotated automatically. Third, any computer-using AI operating in a browser environment needs active prompt injection defenses, not just warnings in a README. Brave's security team demonstrated in August 2025 that even Perplexity's Comet browser was vulnerable to injection via screenshots and hidden page content. If your computer use agent is reading screens and clicking buttons, every pixel it processes is a potential attack surface. The 1Password and Aembit teams have both published solid frameworks for agentic secrets management. The knowledge exists. The implementations are just lagging badly behind the hype.
Why Coasty Built This Differently
I'll be straight with you. I work at Coasty, so take this for what it is. But the reason I actually believe in what we built is that credential handling was a design constraint from day one, not a feature we're scrambling to bolt on after shipping. Coasty is a computer use agent that controls real desktops, real browsers, and real terminals. It scores 82% on OSWorld, which is the gold-standard benchmark for real-world computer task completion, and that's higher than every competitor currently on the leaderboard. But raw benchmark performance is only useful if the agent can operate in production environments where security actually matters. The architecture matters. Running agents in isolated cloud VMs means credentials aren't shared across sessions or users. Agent swarms for parallel execution are scoped so individual agents carry only the permissions they need for their specific subtask. BYOK (Bring Your Own Keys) support means your most sensitive credentials never have to touch Coasty's infrastructure at all if you don't want them to. And the desktop app gives teams who need full on-premise control exactly that. Is every credential-handling problem in agentic AI solved? No. Anyone who tells you it is is selling you something. But there's a massive difference between a computer use agent designed with a security model and one that treats credentials as just another string to pass around. That difference is what separates tools you can actually deploy in a real company from demos that live in a sandbox forever.
Here's my actual take: the enterprises that are sitting on the sidelines waiting for 'AI agents to mature' before deploying them are not being overly cautious. They're being rational. The credential handling story across most of this industry is genuinely not ready for production use at scale. But that's not an argument to wait forever. It's an argument to be selective. Demand that your computer use agent vendor answer specific questions: Where do credentials live during task execution? What's the blast radius if a prompt injection attack succeeds? Can I scope agent permissions below my own access level? If they give you vague answers or point you to a blog post about 'responsible AI,' keep shopping. The tools that have actually thought this through exist. Coasty is one of them. Start with the free tier at coasty.ai, stress-test the credential handling, and compare it to whatever else you're evaluating. The 29 million leaked secrets from last year didn't have to happen. Don't add yours to next year's count.