Encrypted secrets still create risk because the application, not the extension, may control decryption. If any installed plugin can cause the host to decrypt shared blobs, then the trust decision is made at runtime after installation, not at provisioning. That leaves no true per-plugin isolation and makes credential theft a platform behaviour, not just a malware issue.
Why This Matters for Security Teams
Encrypted secrets often look safe because they are stored as ciphertext, but plugin ecosystems change the threat model. The risk is not just whether the secret is encrypted at rest, but who can trigger decryption inside the host application. If a plugin can influence the runtime path, the host may unwrap a shared secret for the wrong component, turning extension trust into a platform-level exposure.
This is why static storage controls alone are insufficient in extensible systems. The question is not simply whether a secret lives in a vault or is encrypted in configuration, but whether each plugin is isolated from every other plugin’s access path. Guidance from the OWASP Non-Human Identity Top 10 and NHIMG’s Guide to the Secret Sprawl Challenge both point to the same operational problem: secrets become dangerous when their use is broader than their intended trust boundary.
In practice, many security teams only discover this after a trusted plugin has already induced the host to decrypt data it should never have seen.
How It Works in Practice
In a plugin ecosystem, encryption protects the stored blob, not necessarily the runtime authorization decision. The host application usually owns the decryption key, the secret cache, or the API path that returns plaintext. That means a plugin with indirect access to the host can sometimes request actions that cause the host to decrypt on its behalf, even if the plugin never receives the key material directly.
That is why encrypted secrets are still risky when plugins share a process, memory space, credential cache, or IPC channel. A malicious or compromised plugin may chain tool calls, manipulate inputs, or invoke legitimate host functions in an unexpected sequence. NHIMG has documented how supply chain and integration abuse can expose credentials at scale in incidents such as the Reviewdog GitHub Action supply chain attack and the Shai Hulud npm malware campaign. The lesson is consistent: once a shared runtime can unwrap secrets, encryption no longer guarantees plugin isolation.
- Use per-plugin or per-workload identities instead of one shared application secret.
- Prefer short-lived, JIT-issued credentials over long-lived encrypted blobs.
- Require runtime policy checks before every decrypt or secret retrieval request.
- Limit secret scope to the smallest possible function, repository, tenant, or task.
- Log and alert on secret access paths, not only on secret storage events.
Current best practice is moving toward workload identity and runtime authorization rather than static secret distribution, but there is no universal standard for this yet. The NIST Cybersecurity Framework 2.0 supports governance and access control, while NHIMG’s Ultimate Guide to NHIs — Static vs Dynamic Secrets frames the practical shift from static secrets to dynamic issuance. These controls tend to break down when plugins run inside the same trusted process as the host because the decryption boundary is no longer technically enforceable.
Common Variations and Edge Cases
Tighter secret isolation often increases engineering overhead, requiring organisations to balance operational simplicity against blast-radius reduction. Some plugin systems can support strong separation with isolated workers, separate service identities, and per-plugin secret brokers, but many cannot without major refactoring.
There is also a tradeoff between convenience and assurance. Shared encrypted configuration may be acceptable for low-risk internal extensions, but guidance suggests treating third-party or marketplace plugins as untrusted until runtime authorisation proves otherwise. If a plugin needs only a narrow API call, issuing a broad decrypted token is over-privilege disguised as protection.
Edge cases include local desktop plugins, browser extensions, and agentic workflows where the extension can trigger actions on behalf of a user. In those environments, encrypted storage may reduce casual exposure, but it does not prevent abuse once the host application decrypts on demand. The safest pattern is to pair encryption with explicit allowlists, context-aware approval, and separate identities for each plugin trust domain.
For teams assessing their exposure, NHIMG’s 52 NHI Breaches Analysis is useful context: many compromises begin with over-shared credentials and end with uncontrolled reuse across systems, not with a broken cipher.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared decrypted secrets create NHI trust-boundary and over-privilege risk. |
| OWASP Agentic AI Top 10 | A3 | Runtime secret use in plugins mirrors agent tool abuse and dynamic privilege escalation. |
| CSA MAESTRO | MAE-04 | MAESTRO addresses runtime authorization and isolation for autonomous extensions. |
| NIST AI RMF | AI RMF is relevant when plugins support autonomous or semi-autonomous actions. | |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access applies directly to secret retrieval and decrypt permissions. |
Assign governance for secret-bearing plugins and test whether runtime controls actually limit misuse.