Here's a story you haven't heard yet: a developer spins up Cursor to build an OpenAI integration. The agent reads the .env file, grabs the API key, adds it to the config. Everything works. Ship it.
What the developer didn't know: that key is now sitting in a plaintext SQLite database at ~/Library/ApplicationSupport/Cursor/User/workspaceStorage/. Forever. Until someone notices.
This isn't theoretical. It's happening right now, on every machine running Cursor, Claude Code, Copilot, or Cline. A developer named Sieve built a Mac app to scan chat histories for leaked credentials after discovering this exact problem. The app exists because the problem is endemic.
The agent security gap is real
AI agents are being deployed faster than security tooling can keep up. We're seeing this across the board:
- Coding agents like Cursor routinely read environment files, configuration scripts, and deployment keys. They need access to do their job. But that access creates a permanent record in chat logs and workspace databases.
- Business agents like the ones running radio stations at Andon Labs have access to payment systems, content management, and broadcast infrastructure. They're making real decisions with real money.
- Marketing agents like the ones Hershey is deploying across its $2 billion ad spend have access to customer data, campaign budgets, and attribution systems.
Every one of these agents needs credentials. Every credential is a potential leak. And most businesses have no visibility into what their agents are doing with those credentials.
Why this matters now
The Sieve story is a canary in the coal mine. Coding agents are the most controlled environment we have — a single developer, a single machine, known tooling. If secrets are leaking there, imagine what's happening when you deploy agents across:
- Customer service teams with access to CRM systems
- Operations teams managing inventory and logistics
- Finance teams processing payments and invoices
The attack surface isn't just growing. It's growing invisibly. Most businesses don't know which agents have access to which systems. They don't have audit logs. They don't have rollback procedures. They're flying blind.
The infrastructure isn't ready
Projects like InsForge (an open-source deployment platform for coding agents) and Beacon (a visibility layer for local AI agents) are trying to solve this. But they're early. They're focused on specific use cases. And they're not yet integrated into the mainstream agent platforms.
Meanwhile, businesses are deploying agents anyway. Because the ROI is too good to ignore. Hershey isn't betting on agentic AI because it's cool — they're doing it because manual marketing attribution across hundreds of campaigns is impossible at scale. The efficiency gains are real.
But efficiency without security is a liability.
What to do about it
If you're running agents in production — or planning to — here's what you need today:
Audit your agent access. Make a list of every system your agents can touch. Every API key they can read. Every database they can query. If you can't list it, you can't secure it.
Rotate credentials regularly. Assume your keys are already leaked. Rotate them monthly. Use short-lived tokens where possible. Never hardcode credentials in agent prompts or configuration files.
Log everything. You need visibility into what your agents are doing. Not just the outputs — the API calls, the file reads, the network requests. If you can't see it, you can't debug it when it breaks.
Scope permissions tightly. Give agents the minimum access they need to do their job. If an agent only needs to read customer data, don't give it write access. If it only needs to query one table, don't give it access to the whole database.
Test in isolation first. Before you deploy an agent to production, run it in a sandboxed environment with dummy data and fake credentials. See what it tries to access. See what it logs. See what breaks.
The real risk isn't the technology
The real risk is deploying agents faster than you can secure them. It's assuming that because the agent "works," it's safe. It's treating AI agents like software when they're actually autonomous systems with access to your infrastructure.
The coding agent that leaked an API key didn't do anything wrong. It did exactly what it was designed to do: read the environment, configure the integration, make it work. The problem is that nobody thought about what happens to that data afterward.
That's the gap. And it's not going to close on its own.
What this means for AlphaForge clients: We build security and auditability into every agent deployment from day one — scoped permissions, credential rotation, and full logging — so you get the efficiency gains without the invisible liability.