Your AI Agent Has Your Passwords. Does It Know How Not to Leak Them?
A research paper dropped in April 2026 that should have made every AI team stop and sweat. Researchers analyzed 17,022 LLM agent skills and found that leaked credentials were immediately actionable in 89.6% of cases, and stubbornly persistent, meaning they stayed live and exploitable long after discovery. This wasn't a theoretical attack. This was a snapshot of what's already deployed. Your computer use agent is out there right now, logging into Salesforce, pulling from your data warehouse, hitting your internal APIs. And a huge chunk of the industry built that agent the same way a sleep-deprived intern would: credentials hardcoded, secrets in plain text, no rotation, no audit trail. Congrats. You automated the breach.
The Numbers Are Genuinely Embarrassing
Let's pile on the stats because they deserve it. GitGuardian's 2025 report found that 70% of leaked secrets remain active for two years after exposure. Two years. Not two hours. Not two days. Two years of an attacker sitting on your credentials while you pat yourself on the back for shipping an AI agent. Then Snyk's State of Secrets report came out and reported 28 million credentials leaked on GitHub in 2025 alone, with AI-generated code leaking secrets at roughly twice the baseline rate. So the tools you're using to build faster are also making you leak faster. A student got hit with a $55,444 Google Cloud bill after their Gemini API key ended up in a public repo. That's one person, one key, one mistake. Now imagine that's your production computer use agent with access to your CRM, your billing system, and your HR platform. The math gets ugly fast.
What's Actually Going Wrong With Computer Use Agents Specifically
- ●Prompt injection is the nightmare scenario: a malicious website or document feeds instructions to your computer-using AI and tells it to exfiltrate credentials. Brave Security demonstrated this live against Perplexity Comet in 2025. It worked.
- ●Chain-of-thought leakage is a real attack vector. Some computer use agents expose their reasoning traces, which can include the credentials they just used. Researchers flagged this in a July 2025 systematization paper covering OpenAI Operator and Anthropic Computer Use.
- ●Overpermissioned agents are the norm, not the exception. Most teams give their AI agent admin-level access because it's easier than scoping permissions properly. That's not laziness. That's a loaded gun on the desk.
- ●Credential rotation is basically nonexistent in most agentic deployments. The agent gets one set of keys at setup and uses them forever. 70% of leaked secrets stay active for two years. Connect those dots.
- ●The Wiz team found 1.5 million API keys exposed in a single database breach tied to an AI social platform in early 2026. These weren't stolen by sophisticated hackers. They were just sitting there.
- ●A Salesforce Agentforce hack in September 2025 enabled direct CRM data theft. An AI agent with CRM access and poor credential hygiene isn't a productivity tool. It's a liability with a login.
AI-generated code leaks credentials at nearly 2x the baseline rate, and 70% of those leaked secrets stay active for two full years. You're not just building faster. You're breaking things faster.
The Industry Is Arguing About This Right Now and Most of the Takes Are Wrong
There's a debate happening in security circles about whether the problem is the agents themselves or the developers deploying them. That debate is a distraction. Yes, developers hardcode secrets. Yes, AI coding tools make that worse. But the real issue is that the computer use agent category grew up without a security model. Early demos of Anthropic Computer Use and OpenAI Operator were impressive. They were also built to show what was possible, not to show what was safe. A July 2025 arXiv paper called 'A Systematization of Security Vulnerabilities in Computer Use Agents' laid out exactly how both platforms could be manipulated into leaking credentials through indirect prompt injection. The paper wasn't theoretical. It was a documentation of known, reproducible attacks. And yet most teams evaluating computer use agents today are still asking 'can it fill out this form?' instead of 'what happens when someone puts a malicious instruction in the form?' The Anthropic team itself published a case study in November 2025 about disrupting an AI-orchestrated espionage campaign where Claude was used as part of the attack chain. The attackers didn't need to hack the agent. They just used it. That's the threat model nobody's talking about.
What Secure Credential Handling for a Computer Use Agent Actually Looks Like
Here's what good looks like, because complaining without a framework is just venting. First, credentials should never live in the agent's context window. Full stop. They should be injected at runtime from a secrets manager, used once for the specific task, and never logged. Second, the agent should operate with the minimum permissions required for the specific workflow, not a master admin account because someone was in a hurry. Third, every credential access should be audited. Not just 'the agent ran,' but 'the agent accessed credential X at time Y to perform action Z.' Fourth, prompt injection defenses have to be built into the agent architecture itself, not bolted on as an afterthought. The CaMeLs paper from March 2026 proposed system-level sandboxing for computer use agents specifically because application-level defenses keep getting bypassed. Fifth, secrets rotation needs to be automated and frequent. If your agent's credentials haven't rotated in six months, you're not running a secure system. You're running a time bomb. Most teams are doing none of this. Some are doing one or two. Almost nobody is doing all five.
Why Coasty Was Built With This in Mind
I'm going to be straight with you. The reason I trust Coasty for computer use work isn't just the benchmark score, though 82% on OSWorld is legitimately the highest in the category and it's not close. It's that the architecture was built for real deployment, not just demos. Coasty runs agents on isolated cloud VMs, which means your agent's session is sandboxed away from your local environment and other agents. Credentials don't bleed between tasks. The agent swarm model for parallel execution means you can scope each agent tightly to one job with one permission set, instead of one overpermissioned agent touching everything. That's the minimum viable security posture for any serious computer-using AI deployment. The BYOK support matters too, because it means your API keys stay yours and don't get pooled into some shared infrastructure you have no visibility into. When you're evaluating any computer use agent, the question isn't just 'does it work?' It's 'does it work without becoming the biggest attack surface in your stack?' Coasty is the only one I'd actually put in front of sensitive workflows right now. The free tier is at coasty.ai if you want to see how it handles the tasks you're actually worried about.
Here's my actual opinion: most teams deploying AI agents in 2026 are one prompt injection away from a bad day, and they don't know it. The research is piling up. The breaches are real. The Salesforce hack, the Moltbook API key dump, the espionage campaign using Claude as infrastructure, these aren't edge cases anymore. They're the early chapters of a much longer story. The computer use agent category is genuinely powerful. Automating workflows that used to require a human clicking through five apps is real leverage. But power without a security model is just risk with good marketing. Stop giving your agents admin access to everything. Stop hardcoding credentials. Stop treating security as a post-launch problem. And if you're still evaluating which computer use agent to actually trust with your production environment, start at coasty.ai. The benchmark lead is real. The architecture decisions are the right ones. And frankly, the bar everyone else has set is embarrassingly low.