This kind of problem is present in most of the currently available crop of coding agents.

Some of them have default settings that would prevent it (though good luck figuring that out for each agent in turn - I find those security features are woefully under-documented).

And even for the ones that ARE secure by default... anyone who uses these things on a regular basis has likely found out how much more productive they are when you relax those settings and let them be more autonomous (at an enormous increase in personal risk)!

Since it's so easy to have credentials stolen, I think the best approach is to assume credentials can be stolen and design them accordingly:

- Never let a coding agent loose on a machine with credentials that can affect production environments: development/staging credentials only.

- Set budget limits on the credentials that you expose to the agents, that way if someone steals them they can't do more than $X worth of damage.

As an example: I do a lot of work with https://fly.io/ and I sometimes want Claude Code to help me figure out how best to deploy things via the Fly API. So I created a dedicated Fly "organization", separate from my production environment, set a spending limit on that organization and created an API key that could only interact with that organization and not my others.