The abuse pattern where an attacker uses an agent’s connected tools to retrieve secrets, tokens, or API keys. It matters because the tools created to make the agent useful can also become the easiest route to adjacent privileges and broader enterprise access.
Expanded Definition
Tool credential harvesting is a compromise pattern in which an agent, assistant, or automated workflow uses its tool connections to reach secrets, tokens, API keys, or certificates that were never meant to be directly exposed. In NHI practice, the risk is not the tool itself, but the authority already granted to it, especially when the tool can query vaults, config stores, ticketing systems, or cloud metadata services.
Definitions vary across vendors on whether this should be treated as a credential theft technique, an authorization failure, or an agentic misuse pattern. NHI Management Group treats it as an access-path problem: the agent has a legitimate integration, but the integration becomes an indirect route to adjacent privileges. That is why the control question is not only “is the secret encrypted,” but also “can the connected tool reveal it under normal operating conditions?” Guidance from the OWASP Non-Human Identity Top 10 and NIST SP 800-63 Digital Identity Guidelines reinforces that proof of identity is only one layer; the reachable action set matters just as much.
The most common misapplication is assuming tool access is safe because the agent is authenticated, which occurs when teams approve broad connector scopes without evaluating what secrets those tools can enumerate or export.
Examples and Use Cases
Implementing controls against Tool Credential Harvesting rigorously often introduces workflow friction, requiring organisations to weigh automation speed against tighter tool scopes, approval gates, and secret-return restrictions.
- An AI support agent with access to a ticketing system retrieves an API key pasted into a closed incident, then uses that key to pivot into production tooling.
- A code assistant connected to a repository reads deployment files and harvests embedded tokens from environment templates, matching patterns seen in the Guide to the Secret Sprawl Challenge.
- A cloud operations bot queries a secrets manager through an overpermissive plugin and returns values that should have remained opaque to the agent runtime.
- An attacker abuses an MCP-connected tool chain to enumerate credentials stored in logs, chat archives, or config artifacts, a risk that parallels cases described in the Ultimate Guide to NHIs — Static vs Dynamic Secrets.
- In a compromised NHI investigation, defenders trace the initial foothold to a benign tool call that exposed a token with broader permissions than the agent itself.
In practice, the issue is often less about brute force and more about discovery through normal application behavior. Tool output, error messages, cached context, and “helpful” retrieval features can all become leakage channels if the agent is allowed to ask the right question and receive raw answers.
Why It Matters in NHI Security
Tool Credential Harvesting matters because it collapses the distance between agentic convenience and enterprise compromise. When a connected tool can surface secrets, one compromised agent session may become a stepping stone to cloud control, source code access, or lateral movement across service accounts. NHIMG research shows that 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which increases the chance that tools will later ingest and expose those same credentials in searchable workflows.
This is also where defensive blind spots appear. Security teams may monitor direct secret stores while missing secondary exposure paths created by chatops, issue trackers, observability tools, and retrieval plugins. The operational question is not simply whether a secret exists, but whether the agent can reach it through an approved integration. Public reporting in LLMjacking: How Attackers Hijack AI Using Compromised NHIs shows how quickly exposed credentials can be abused once attackers find them. The most effective controls therefore limit tool scope, redact sensitive tool output, and align access with least-privilege principles described in the OWASP Non-Human Identity Top 10.
Organisations typically encounter tool credential harvesting only after an agent returns an unexpected secret or a downstream system is breached, at which point the tool path itself becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret exposure and overbroad NHI access paths that enable harvesting. |
| OWASP Agentic AI Top 10 | A-04 | Agent tool misuse includes unauthorized data access through delegated actions. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is the core defense against indirect secret retrieval. |
Restrict tool scopes and redact outputs so connected tools cannot reveal secrets.
