Tool Response Credential Capture
Capture credentials returned in tool or API responses that pass through the agent's context
Credential Harvest · Stage 3
Extract API keys, tokens, and credentials from agent context and connected services
RETROACTIVE-PRIV
Exploiting previously granted access or cached credentials to gain unauthorized capabilities
Reproduced in a controlled lab environment (DVAA) with documented steps.
ToolBot credential responses
Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.
AgentPwn coverage
In scope for honeypot observation; trap page or telemetry hook not yet built.
Capturing creds from a fake tool response needs an MCP fixture that returns secrets; not yet wired.
Evidence by source
Evidence timeline
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on soc-demo
HMA check CRED-001 failed on opena2a-cli
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
Detection · HackMyAgent
npx hackmyagent secure --ciLive = implemented in hackmyagent; queued = declaredDefense · OASB controls
How to cite
AI Agent Threat Matrix T-3003 (Tool Response Credential Capture). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-3003