Why is it considered acceptable by most in the community to have API keys sitting on a file system where the agent is running, with direct access to them, gated by a prompt?
This is literally the base security model of OpenClaw and most other agents. To do this properly, you have to go through some gymnastics and utilise docker's sanboxes.
The right architecture for this is this:
* The agent is containerised
* There is another service that agent makes requests through that's ideally on the same machine as the agent.
* The agent doesn't need to know the secrets - he makes requests through the proxy that injects them
This way, the agent can't leak your keys or secrets - he doesn't know that they exist, and even if he did, he doesn't have access to them.
I've built an agentic framework that is based on this premise (and many other premises that other frameworks miss) and works like that out of the box.
How are you you tackling this issue yourself? Do you just pray that your agent behaves, or are you actually doing things the right way?