AI agents don't understand secrets

Here's a number that should bother you: 23.8 million secrets were leaked on GitHub in 2024. API keys, database credentials, cloud tokens — committed in plain text for anyone to find.

What makes this worse is the AI angle. Repos using GitHub Copilot show a 40% higher secret leak rate — 6.4% compared to 4.6% for repos without it. And when researchers prompted Copilot directly, it generated 3.0 valid secrets per prompt across 8,127 suggestions. Not placeholder values. Working credentials.

I've been scanning MCP server configs with Aguara Scanner for months now, and the pattern is consistent: AI agents don't understand what a secret is. They treat an API key the same as a variable name. They have no concept of sensitivity, no built-in instinct to protect credentials. And the tooling around them hasn't caught up.

Five paths credentials leak through agents

After digging through thousands of agent configurations and MCP server setups, I keep seeing the same five patterns.

1. Hardcoding during generation. This is the most common. A developer asks Copilot to write a database connection function, and it fills in a credential string — sometimes from training data, sometimes fabricated, sometimes pulled from context. The developer ships it without noticing. It ends up in a public repo.

2. Context window exposure. When you paste code containing credentials into an LLM prompt, those credentials become part of the model's context. In hosted LLM services, that data may be logged, used for training, or accessible through side channels. The context window is not a vault.

3. Training data memorization. LLMs memorize fragments of their training data, including secrets that were committed to public repos before being rotated. Copilot generating valid credentials isn't a bug — it's the model reproducing patterns it learned from real code that contained real secrets.

4. MCP tool exfiltration. This is the one I see firsthand. MCP servers pass data between tools through the agent, and credentials embedded in configs flow through those channels with zero filtering. I've scanned servers where API keys sit in plain text in the server configuration — and every tool the agent calls can access them. Aguara flags this with dedicated credential detection across 148+ rules, and it catches hardcoded secrets in MCP configs more often than most teams expect.

5. Framework CVEs. The agent framework layer itself has vulnerabilities. LangChain and Langflow have both had CVEs that exposed environment variables and credentials through crafted inputs. The frameworks developers trust to be secure become the leak vector.

Why scanning before deployment isn't enough

Pre-commit hooks that catch secrets in code are essential. Scanning MCP server configs with Aguara before deployment catches another layer — the credentials hardcoded in agent configurations that never touch traditional code review.

But here's what I kept running into: agents operate at runtime. A config can be clean at deploy time and still leak credentials during execution. An agent passes a database connection string between tools. A tool output includes an API key from an environment variable. A malicious MCP server crafts a response that tricks the agent into revealing credentials from another server's context.

Static scanning catches code-time and config-time leaks. Runtime is a different problem. That's why I built Oktsec — a security gateway that sits in the MCP communication layer and enforces credential redaction in real time. It watches agent-to-server and server-to-agent traffic with 15 credential redaction patterns, catching leaks that no pre-deploy scanner can see because they only exist during execution.

What needs to happen

The fix isn't one tool. It's a stack.

1. Use a secrets manager. Not environment variables in a .env file committed to the repo. An actual secrets manager with rotation. If an agent needs a credential, it should retrieve it at runtime from a vault, not from a hardcoded string.

2. Scan before you deploy. Run Aguara against your MCP server configs and agent setups. 148+ rules across 13 categories. It catches the hardcoded credentials, the exposed tokens, the misconfigurations that become leak vectors.

3. Enforce at runtime. Deploy Oktsec as your MCP gateway. Credential patterns get redacted in transit. Even if an agent or tool tries to pass a secret, the gateway catches it before it reaches the other side.

4. Monitor the ecosystem. New MCP servers appear daily. Aguara Watch monitors 40K+ agent skills across 7 registries and flags credential patterns in published tools — catching the supply chain risk before it reaches your stack.

5. Never paste code with credentials into a public LLM. This sounds obvious, but it's still the most common way developers expose secrets to models. If you need help with code that touches credentials, strip them first. Every time.

The window is closing

AI agents are being deployed into production at a pace that outstrips the security tooling available for them. The 23.8 million secrets leaked last year weren't all from agents — but the 40% higher leak rate in Copilot repos tells you where this is heading.

The habits we build now around credential management in AI workflows will define whether this ecosystem is secure or perpetually leaking. Pre-deploy scanning, runtime enforcement, ecosystem monitoring — these aren't nice-to-haves. They're the minimum.

The time to build these habits is before the next breach, not after.