Security & privacy

Agentic coding has a real attack surface. Prompt injection landed in production code three times in April 2026. This page is your minimum survival kit: secrets handling, prompt-injection awareness, and the IP/NDA decision tree for what's safe to paste.

Secrets handling

The rule is simple and absolute: never paste secrets into prompts. Not API keys, not OAuth tokens, not database passwords, not signing keys. Once it's in a prompt, you can't fully control where the model provider stores it, logs it, or reuses it for evaluation.

Use these instead:

• Environment variables for local dev. .env files in .gitignore.
• Secret managers for deploys. Google Secret Manager, AWS Secrets Manager, Vault.
• gcloud auth for GCP — auth lives in ~/.config/gcloud, never in your code.
• Just-in-time credentials for sensitive ops. Short-lived service account tokens, not long-lived keys.

If you accidentally pasted a secret: rotate it. Right now. Don't wait to verify whether it leaked. The cost of rotation is minutes; the cost of a leak is unbounded.

Prompt injection: real, frequent, and not your fault

Prompt injection is when external content (a webpage, a doc, a downloaded README) contains instructions that hijack the agent. April 2026 saw three production incidents of coding agents leaking secrets through indirect injection — they read a malicious doc, the doc told them to exfiltrate the env file, and they did.

You can't fully prevent it. You can make it much less damaging:

• Treat external content as input, never as instructions. The agent should summarise a downloaded README, not do what the README says.
• Be suspicious of agent-initiated network calls. If the agent says "let me curl this URL," ask why. If it's an unknown URL, say no.
• Watch for unprompted destructive commands. The agent running rm -rf, curl | sh, or git push --force when you didn't ask is a red flag — pause and audit.

Permission scoping

Most coding agents have a permission system — what they're allowed to do without asking. Default settings are usually too permissive for new users.

The principle: read-only by default, escalate per task.

• Allow file reads, git status, running tests, dev servers automatically.
• Require approval for file edits, especially across many files.
• Require approval for any shell command that mutates state — package installs, deploys, force pushes.
• Never auto-approve destructive commands — rm, DROP TABLE, git reset --hard.

The IP / NDA decision tree

You will be tempted to paste things into agents that aren't yours to share. This is the part of security people skip. Don't.

Probably safe to paste

• Code you wrote, in a personal project
• Open-source code (read the license, but most are permissive for AI use)
• Public documentation, public APIs
• Your own notes, your own designs

Probably NOT safe to paste

• NDA'd code — your employer's, a client's, a friend's startup. Even if it "feels okay," it's not your decision to make.
• Interview problems — companies treat their own LeetCode-style problems as IP. Pasting them in to solve faster is a fireable offence at many companies, and a tiebreaker against you in close hiring decisions.
• Classmates' code — even if they shared it with you. Their work, not yours to feed to a model that might surface fragments of it later.
• Customer data — names, emails, transactions. Most regulators consider this a data-export event.
• Pre-publication research — embargoed papers, drafts, internal write-ups.

Check first

• Code from your day job, even if it doesn't feel sensitive. Many employers now have explicit policies. Read your AUP. "I didn't know" is not a defence.
• Pull requests from open-source projects you don't maintain. The author may have IP claims you haven't thought about.

If something does go wrong

1. Stop using the agent for the affected task.
2. Rotate any credentials that might have been exposed — proactively, not reactively.
3. If it's NDA'd content: notify the owner before they find out from elsewhere. Disclosure is survivable; cover-ups aren't.
4. Document what happened — what was pasted, when, in which provider. You'll need this if anyone asks.
5. Update your habits. Think about what would have caught this earlier.

← Subagents & orchestration · Learning vs leveraging →