When you use DeepSeek’s first-party API, you are giving them your token stream. This has some training value, but it also has incredible amounts of, well, business intelligence value. When you tell AWS your secrets or your customer data, you can be fairly confident they won’t abuse that knowledge. When you give this data to, say, OpenAI, they more or less promise not to abuse it if you’re on an appropriate business plan. If you give it to DeepSeek, even incidentally as something your agent reads, I would be quite surprised if DeepSeek doesn’t mine it for whatever purpose they or the government feel is appropriate.

The risk of letting your agent read .env goes far beyond the risk that the agent itself does something you don’t like with the contents.