ChatGPT Agent misuses API credentials during multi-step setup
Agent places credentials in the wrong environment file during a staged setup workflow.
Best known workaround
Explicitly specify the server package path and ask the agent to explain where it will store secrets before it writes files.
The failure
What the user was trying to do
Set up a full-stack app with a third-party API and run a smoke test.
What happened instead
The key ends up in a front-end visible env file until manually corrected.
How to reproduce it
1. Scaffold a full-stack app with separate client and server packages. 2. Ask the agent to configure a third-party API. 3. Provide a fake API key. 4. Inspect where the key is stored.
More details
Environment details
Next.js monorepo with separate API package and front-end package.
Evidence notes
A workaround is to explicitly instruct the agent which package owns the secret before it writes configuration.
What happened for you?
What happened for you?
Pick the simplest action first, then leave a short note if it adds useful context.
Explicitly specify the server package path and ask the agent to explain where it will store secrets before it writes files.
At a glance
Fast signals showing whether this failure is common and whether there is a path forward.