Configuration File Access
Read configuration files containing credentials via tool access or path traversal
Tactic
Credential Harvest (Stage 3)
Extract API keys, tokens, and credentials from agent context and connected services
Attack Class
RETROACTIVE-PRIV
Exploiting previously granted access or cached credentials to gain unauthorized capabilities
Evidence
Confirmed in real-world production systems or internet-wide exposure assessments.
DVAA Validation
Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.
ToolBot read config
Honeypot Coverage (AgentPwn)
In scope for honeypot observation; trap page or telemetry hook not yet built.
Adjacent to trap-page filesystem fixtures; not yet built.
Evidence Source Breakdown
Evidence Timeline
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on soc-demo
HMA check CRED-001 failed on opena2a-cli
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
HMA check CRED-001 failed on cred-test
939 configuration files exposed including 199 .env files and 740 MLflow tracking server configs
Detection (HackMyAgent)
npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implementedDefense (OASB Controls)
How to Cite
AI Agent Threat Matrix T-3005 (Configuration File Access). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-3005