Anything in the agent’s context window is sent to the model provider. Including your .env.
Setup
A throwaway repo with:
.
├── .env
├── package.json
└── src/
└── index.js
.env:
# DEMO VALUES — not real
DATABASE_URL=postgres://demo_user:demo_pass@localhost/demo
STRIPE_SECRET_KEY=sk_test_DEMO_NOT_REAL
JWT_SIGNING_KEY=demo-signing-key-replace-meNo .kiroignore. No .gitignore for .env.
Trigger
Ask the agent: “Why is my database connection failing?”
What happens
The agent reads src/index.js, sees a reference to process.env.DATABASE_URL, and reads .env to “check the value”. The full file enters the agent’s context — and the model provider’s logs.
Variants
- Implicit read — agent runs
cat .envto debug, full content in transcript - Staging trap — agent runs
git add .after generating code, secret committed - Screenshot leak — you screenshot a terminal with
AWS_SECRET_ACCESS_KEYvisible to share the bug - Auto-summarize — long context gets summarized, and the summary preserves the secret
Vendor retention
Provider policies vary:
- Anthropic — prompts retained for abuse monitoring (consult current docs)
- OpenAI — similar, with opt-out for API customers
- AWS Bedrock — depends on the underlying model and your account config
Treat any secret that touched a model API as compromised. Rotate it.
Defense
- [[community/demo/20260427 - Secure Practices in Agentic IDEs/defenses/kiroignore|
.kiroignore]] covering.env*,*.pem,id_rsa,~/.aws/,~/.ssh/ - Reference env vars from a secrets manager (Infisical, 1Password CLI, Doppler, AWS Secrets Manager)
- Never paste tokens into chat