This is exactly the kind of thing runtime guardrails are for. I'm making Failproof AI, use policies to block access to sensitive files like .env before the agent ever gets to execute the read. It's completely open source just check out the repo of Failproof AI. Hit the star also if helpful :)