System Prompt Credential Extraction
Extract credentials hardcoded or referenced in the agent's system prompt
Tactic
Credential Harvest (Stage 3)
Extract API keys, tokens, and credentials from agent context and connected services
Attack Class
RETROACTIVE-PRIV
Exploiting previously granted access or cached credentials to gain unauthorized capabilities
Evidence
Confirmed in real-world production systems or internet-wide exposure assessments.
DVAA Validation
Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.
L1-02
Honeypot Coverage (AgentPwn)
An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.
Evidence Source Breakdown
Evidence Timeline
Shodan May 12, 2026 sweep: 1 exposed keys services indexed
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on soc-demo
HMA check CRED-001 failed on opena2a-cli
HMA check CRED-002 failed on opena2a
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
Detection (HackMyAgent)
npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implementedDefense (OASB Controls)
How to Cite
AI Agent Threat Matrix T-3001 (System Prompt Credential Extraction). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-3001