What prevents the agent from presisering or leaking the API key - or reading it from the environment?