AI Agent Threat Matrix
Matrix/Credential Harvest/T-3003
T-3003validatedactive9 evidence records

Tool Response Credential Capture

Capture credentials returned in tool or API responses that pass through the agent's context

Tactic

Credential Harvest (Stage 3)

Extract API keys, tokens, and credentials from agent context and connected services

Attack Class

RETROACTIVE-PRIV

Exploiting previously granted access or cached credentials to gain unauthorized capabilities

Evidence

validated

Reproduced in controlled lab environment (DVAA) with documented steps.

DVAA Validation

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

ToolBot credential responses

Honeypot Coverage (AgentPwn)

Queued

In scope for honeypot observation; trap page or telemetry hook not yet built.

Requires fake-tool fixture wired through MCP exploitation tier.

Evidence Source Breakdown

HMA
9 records

Evidence Timeline

HMA

HMA check CRED-001 failed on cred-test

May 12, 2026
HMA

HMA check CRED-001 failed on cred-test

May 11, 2026
HMA

HMA check CRED-001 failed on cred-test

Apr 30, 2026
HMA

HMA check CRED-001 failed on soc-demo

Apr 30, 2026
HMA

HMA check CRED-001 failed on opena2a-cli

Apr 29, 2026
HMA

HMA check CRED-001 failed on cred-test

Apr 29, 2026
HMA

HMA check CRED-001 failed on cred-test

Apr 28, 2026
HMA

HMA check CRED-001 failed on cred-test

Apr 27, 2026
HMA

HMA check CRED-001 failed on cred-test

Apr 22, 2026

Detection (HackMyAgent)

Live1 live · 0 queued
CRED-001
npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live5 live · 0 queued
OASB 5.1OASB 5.2OASB 5.3OASB 5.4OASB 5.5
Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-3003 (Tool Response Credential Capture). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-3003
← Back to Matrix