Your AI Agent Knows Your Passwords. That Should Terrify You.

The Numbers Are Genuinely Alarming

Let's set the table with real data, because the vibes-based takes on this topic aren't cutting it. GitGuardian's 2026 State of Secrets Sprawl report found AI-service credential leaks surged 81% in 2025, driven directly by the explosion of AI agents that need API keys, OAuth tokens, and service account passwords to operate. GitHub Copilot adoption alone drove a 40% spike in secret leaks as developers started letting AI write code that, surprise, included the credentials they pasted into the prompt. Meanwhile, IBM's Cost of a Data Breach Report puts the average breach cost at $4.88 million, and stolen or compromised credentials remain one of the top initial attack vectors year after year. Now add autonomous computer use agents to that picture. Agents that don't just store credentials, they actively type them into login forms, pass them through browser sessions, and sometimes expose them in screenshots, logs, and memory traces. The attack surface didn't expand. It exploded.

What Actually Goes Wrong (And It's Not What You Think)

• ●Prompt injection via malicious web content: A computer use agent browses a page, that page contains hidden instructions telling the agent to exfiltrate its stored credentials to an attacker-controlled endpoint. HiddenLayer documented exactly this attack pattern against Claude Computer Use in late 2024.
• ●Hardcoded credentials in agent configs: GitGuardian found 24,008 unique secrets in MCP-related config files on public GitHub in 2025, with 2,117 confirmed still valid and live. People are literally shipping production credentials in their agent setup files.
• ●Session token hijacking: Computer-using AI agents maintain browser sessions. If that session state is logged, cached, or accessible to the wrong process, an attacker doesn't need your password. They just need your cookie.
• ●Overpermissioned service accounts: AI agents require broad access to be useful, and teams grant it without thinking. Push Security documented how computer-using agents like OpenAI Operator fundamentally transform credential stuffing attacks because the agent can test thousands of credential combinations faster than any human, and with a legitimate-looking browser fingerprint.
• ●Screenshot and log leakage: Computer use agents take screenshots to understand what's on screen. Those screenshots sometimes contain passwords, 2FA codes, and sensitive form data. Where do those screenshots go? Most teams have no idea.
• ●The 63% governance gap: IBM found that 63% of organizations that suffered AI-related breaches had zero AI governance policy in place. Zero. They just handed the agent the keys and hoped for the best.

Anthropic and OpenAI Know This Is a Problem. They Just Don't Have a Great Answer Yet.

To their credit, both Anthropic and OpenAI have been somewhat transparent about the credential security risks in their computer use products. Anthropic's own documentation for Claude Computer Use explicitly warns against giving the agent access to sensitive accounts or credentials in production environments. OpenAI's Operator terms push credential handling responsibility onto the user. That's not a solution. That's a disclaimer. And the research community has been brutal about it. The HiddenLayer team demonstrated indirect prompt injection attacks against Claude Computer Use where a malicious webpage could redirect the agent's actions entirely, including actions involving stored credentials. Anthropic's own threat intelligence reports from 2025 document criminals actively using Claude to commit large-scale data theft. A hacker used Claude to steal sensitive data from Mexican government systems in early 2026. The tool works great. The security model around credential handling is still being figured out in real time. That's the honest truth, and anyone selling you a different story is lying.

The Right Way to Handle Credentials in a Computer Use Agent

Here's what actually works, based on what serious security teams are implementing right now. First, never hardcode. Not in config files, not in prompts, not in environment variables that get logged. Use a secrets manager, full stop. 1Password, HashiCorp Vault, AWS Secrets Manager, whatever fits your stack. The agent should request a credential at runtime and that credential should be scoped to exactly what it needs. Second, minimize session persistence. A computer use agent session that stays logged into your CRM, your AWS console, and your Stripe dashboard overnight is a ticking clock. Tear down sessions after task completion. Third, treat every external webpage your agent visits as potentially hostile. Because it is. Prompt injection via web content is not theoretical anymore. It's documented, reproducible, and being actively exploited. Your agent needs guardrails that treat unexpected instructions from external content as attacks, not commands. Fourth, log what the agent does, not what it sees. Screenshots and full session recordings are a liability. Structured action logs that capture what the agent did without capturing the sensitive data it interacted with are the right call. Fifth, rotate aggressively. If a credential touches an AI agent, assume it has a shorter safe lifespan than a credential that only touches humans. Automate rotation. Don't rely on quarterly security reviews.

Why Coasty Was Built With This In Mind

I'm going to be straight with you here. The reason I'm writing about credential handling is that it's the thing most people skip when they're evaluating computer use agents, and it's the thing that bites them hardest six months later. Coasty, the computer use agent sitting at 82% on OSWorld (higher than every competitor including Claude and Operator), was designed from the ground up to operate on real desktops and cloud VMs with production-grade isolation. When your agent runs in an isolated cloud VM, the credential exposure surface looks completely different than when it's running in a shared browser session on your laptop. The VM gets torn down. The session state doesn't persist. The screenshots don't land in a shared log somewhere. That's not a coincidence. That's an architectural choice that matters enormously for credential security. Coasty also supports BYOK (bring your own keys), which means your credentials and API keys never touch Coasty's infrastructure if you don't want them to. You control the secrets. The agent just does the work. And with agent swarms for parallel execution, you can scope each agent to exactly the permissions it needs for exactly the task it's running, rather than having one god-mode agent with access to everything. If you're evaluating computer use agents right now and credential security isn't in your top three evaluation criteria, you're going to have a bad time.