New ask Hacker News story: Ask HN: Threat model for Qualys Agent managed by untrustworthy client company?

Ask HN: Threat model for Qualys Agent managed by untrustworthy client company?
2 by terminous | 1 comments on Hacker News.
I'm in talks with a new client company. I'm willing to do contract work with them, but for various reasons, I do not fully trust everyone in the company. My threat model includes unintentional security breaches on their end and intentional espionage and exfiltration. I also don't want some micromanager to be pouring over my work logs just to satisfy their curiosity. The company is requiring Qualys Agent be installed on any machine that is used to do client work, which will be authorized with their remote management service. It seems this effectively gives their IT department root to my machine, or at least allow very broad access to my files and sessions. Even though it doesn't seem like Qualys is designed for espionage, could it be abused by a bad actor? Or if one of their staff gets phished, is my machine is now vulnerable? Am I being unreasonable with these concerns? If I wouldn't trust them with my root password or SSH key, should I also not trust them with Qualys Agent? I don't want to get new machines just to do this client's work, but is that the only solution? Or perhaps this risk can be mitigated by installing a second OS partition w/ Qualys that is used only for client work, then encrypting the other partition with the OS I use for all other work.