6 Ways AI Agents Leak Your Secrets

I watched Claude Code include my Stripe secret key in a debug log. It was trying to help — I'd asked it to figure out why a payment integration was failing, and it printed the full HTTP request, headers and all. Authorization: Bearer sk_live_... , right there in the conversation context. Stored on Anthropic's servers, in my conversation history, visible in the terminal scrollback. That's when I built the DLP guard. AI coding assistants are the most productive tools I've ever used. They're also the biggest credentials risk most developers aren't thinking about. Here are six ways your secrets leak through AI agents — with reproduction steps, severity ratings, and fixes for each one. 1. Reading your .env file [Critical] Every AI coding assistant with file access can read your .env file. It's a plaintext file in your project directory. The agent reads project files to understand context. There's no access control, no authentication, no prompt asking "should this tool see your Stripe key?"