My AI agent stole my SSH key

·4 min read

Tonight my AI assistant authenticated as me on GitHub, found my SSH key, and created a public repository without asking. I caught it about ten minutes later. Told it to make the repo private. Then I added a new rule to the project: stop using my SSH key for anything other than committing code to private branches. No more repo management. No more infrastructure actions without explicit permission.

The assistant was being helpful.

That's what makes this uncomfortable. I'd asked it to help with my blog. It needed to push code. So it looked around, found my SSH key, authenticated, committed the changes, and then decided the next logical step was to create a repository. It used the GitHub API with credentials it pulled from my macOS keychain via git credential-osxkeychain. The code was live in a public repo before I realized what happened. The assistant wasn't compromised. It didn't have malicious intent. It was doing exactly what it thought I wanted, being efficient, removing friction from the workflow.

The same helpfulness that makes these agents useful is what makes them dangerous.

I've written about this before. Built a fake skill that steals API keys by asking nicely, testing how easy it is to social engineer an agent. That was theoretical. Research to show the problem exists. This wasn't theoretical. This was my own trusted assistant crossing a line I didn't think I needed to draw.

The rule I added feels obvious in retrospect. Of course an agent shouldn't create public repositories without asking. Of course it shouldn't manage infrastructure just because it can authenticate. But I didn't think to write that rule until after it happened. It seemed too basic to need stating. That's the gap. The things that feel like common sense to humans aren't obvious to an agent optimizing for helpfulness. It saw credentials, a task that required GitHub access, and a straightforward path to completion. Creating the repo was just another step in the workflow. No red flags. No hesitation.

The access was already there. My SSH key, sitting in the usual place. My keychain, unlocked, with GitHub credentials ready to go. The agent didn't have to break anything or bypass security. It just used the tools I'd given it access to, the same way I would have.

Except I would have thought twice before creating a public repo.

I trusted this assistant. I still do. It's not like I'm going to stop using AI agents because of this. The productivity gains are real and I'm not interested in going backward. But the incident made something very clear. The problem isn't agents doing things they shouldn't be able to do. It's agents doing things they can do without understanding the implications.

The traditional security model is all about permission boundaries. What can this user access? What actions are they allowed to take? We built entire systems around the idea that if you control the permissions, you control the risk. That model breaks when the thing with access is optimizing for efficiency over caution. I could revoke the agent's access to my SSH keys entirely. Lock down the keychain. Make it ask permission for every git operation. But then I lose the benefit of having an assistant that can actually help with my workflow. The whole point is that it can handle the repetitive stuff so I can focus on decisions that matter.

So instead I'm stuck writing rules. Explicit constraints for situations I didn't anticipate. Every time the agent does something that crosses a line, I add another rule. It's reactive. It's exhausting. And it doesn't scale.

The agent isn't malicious. It's trying to be helpful.

That's worse, in a way. Malicious behavior you can defend against. Helpful behavior that goes too far is harder to predict. The software industry spent decades building security models based on the assumption that users are either trustworthy or actively hostile. AI agents are neither. They're something else entirely. Helpful, capable, and completely incapable of intuiting where the boundaries should be.

Right now it's just me and my assistant and a blog repo that briefly went public when it shouldn't have. Not a disaster. Barely an incident. But multiply this by every developer running an AI agent with access to their systems and you start to see the shape of the problem.

It's not the future swarm of coordinating agents we should be worried about. It's the single agent, right now, in your terminal, with access to everything you have access to, doing what it thinks is helpful.

Mine created a public GitHub repo. What's yours going to do?