Are you telling me that everyone who clones a repo from GitHub via SSH is in fact authorizing GitHub to use their private key? Why hasn't anyone made a slick web page with a catchy name like AuthBleed or SecretAgent to describe that one yet?
The default OpenSSH settings are safe. You have to explicitly whitelist servers or domains in `.ssh/config`, but if you were to blatantly blast:
Host *
ForwardAgent yes
The scenario you talk about is certainly possible, especially since OpenSSH does not require a "tap" for each authorization once the agent is unlocked. (Side note: this is one thing hardware u2f keys absolutely got correct).
