This is slick but the only thing it prevents is agents from directly sharing the credentials through git or something.

But that’s not the biggest risk of giving credentials to agents. If they can still make arbitrary API calls, they can still cost money or cause security problems or delete production.

If you’re worried about creds leakage only because your credentials are static and permanent, well, time to upgrade your secrets architecture.