Your agent harness shouldn't place that file anywhere that code executed by the agent can write to. This is why good agents need a robust sandboxing mechanism.

You only need to accept stochastic control of some processes. In others you can ensure, for example, privileges and authorization.