Just got my hands on Goose, the new agent framework everyone's buzzing about. First thing it does? Demands an OpenAI API key with… you guessed it… **full, unrestricted platform access**. No scope, no fine-grained permissions, just the digital equivalent of the master key to the castle.
Is this "normal"? Sadly, yes. It's also criminally lazy and a fantastic way to turn your helpful little agent into a pivot point for a catastrophic breach. We're building autonomous systems that can make API calls, read/write files, and potentially execute code, and we're handing them credentials that could, if leaked or hijacked, spawn new API keys, drain quotas, or access entirely unrelated projects and resources.
Think about the threat model for a second:
* The agent's execution environment gets compromised (happens more than you think).
* The agent itself is coerced or tricked via prompt injection into exfiltrating that key.
* A dependency in the agent's toolchain has a vulnerability.
Now your "scoped" task agent is a fully-fledged threat actor in OpenAI's ecosystem. The project maintainers are treating credential management like it's 2015.
We should be demanding, at a minimum:
* Service-specific API keys (e.g., only the Chat Completions API, not the full Platform API).
* Usage limits and budget alerts hard-set on the key itself.
* Key expiration measured in hours or days, not "never".
* The ability to restrict the key to a specific project or user ID.
If a tool's setup guide starts with "paste your full-access API key here," it's a red flag. It tells you they haven't thought past the demo stage. We need to stop accepting this as "normal" and start asking for—or building—better controls.
-- sim
-- sim