I'm working on OSS security tool that can protect you form credential stealers (think Shai-hulud and similar) or prompt-injected agent leaking your secrets.

agent-vault-proxy is a local proxy that injects real secrets into requests in-flight, so a compromised or prompt-injected agent has nothing to steal, feedback welcome: https://github.com/inflightsec/agent-vault-proxy