You're thinking about this wrong. The agent *will* leak its credentials if it can be tricked into outputting them. Prompt engineering is not a security boundary.
The real problem is giving the agent credentials worth stealing in the first place.
Typical failures:
* Giving the agent a static API key with broad permissions (e.g., full AWS `*:*`).
* Baking credentials into a container or agent system prompt.
* Using a service account password that never rotates.
The fix is scoped, ephemeral credentials tied to a single task.
* Use OAuth2 client credentials flow or similar to get short-lived tokens.
* Scope permissions to the absolute minimum. An agent that reads a wiki doesn't need write access to your database.
* Credentials should be injected at runtime from a vault, not stored with the agent.
* Audit logs on every use. If a token gets leaked, it should already be expired.
If your agent's token can only list objects in one S3 bucket for the next 5 minutes, a leak is a contained incident, not a catastrophe.
no default passwords