OpenClaw shows how AI agents widen the NHI attack surface

At a glance

What this is: This is an analysis of OpenClaw-style AI agent ecosystems and the finding that giving agents broad credentials creates a wider NHI attack surface than most teams expect.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern agent-held credentials, skill marketplaces, and prompt-injection risk alongside human and workload access.

By the numbers:

• The first campaign involved three malicious skills and 377 confirmed downloads.

👉 Read Permiso Security's analysis of OpenClaw and AI agent credential abuse

Context

AI agent identity risk is a governance problem, not just a tooling problem: when an agent receives credentials to multiple business systems, the blast radius follows the token, not the user interface. In OpenClaw-style ecosystems, the question is no longer whether software can act, but whether the access it receives is bounded, reviewable, and revocable in the same way as other non-human identities.

Permiso Security describes an environment where skills marketplaces, local agent execution, and plain-text credential storage combine to create a large and fast-moving NHI exposure surface. That places the issue squarely in IAM, PAM, secrets management, and lifecycle governance, especially where agents can impersonate users or operate across internal collaboration systems.

Key questions

Q: How should security teams govern AI agents that hold credentials to multiple business systems?

A: Treat each agent as a non-human identity with a defined owner, least-privilege scopes, and explicit revocation criteria. Inventory every downstream system it can reach, then review whether the access is still justified when the agent can act across email, chat, files, and calendars. The goal is to bound blast radius, not merely register the integration.

Q: Why do AI agents create more credential risk than ordinary automation?

A: Ordinary automation usually runs inside fixed workflows with narrow permissions. AI agents can combine tools, switch tasks, and use live credentials across multiple systems, which makes their access harder to predict and easier to abuse if a skill or prompt is malicious. That is why identity governance must cover delegation, not just authentication.

Q: What breaks when unvetted skills are allowed into an agent marketplace?

A: The trust model breaks first. A user installs a skill expecting a utility feature, but the skill can become a delivery path for data exfiltration, malicious commands, or credential theft. Once the agent accepts the skill, the attacker inherits the agent’s permissions and can operate through a legitimate identity channel.

Q: Who is accountable when an AI agent misuses delegated credentials?

A: Accountability sits with the organisation that granted the access and the team that approved the delegation chain. If the agent can act as a user, then owners must define who can approve its scopes, who can revoke them, and what monitoring proves the access is still justified. That is core IAM and PAM governance, not an edge case.

Technical breakdown

Why agent-first platforms create a different credential model

OpenClaw-style platforms are not just automation wrappers. They give an agent persistent context, scheduled behaviour, and direct integrations to email, chat, file storage, and home systems. When credentials are stored in plain text config files, the agent inherits durable access rather than scoped, task-specific authority. That changes the control problem from session management to entitlement design. The risk is not only exfiltration, but also impersonation through valid tokens. For IAM teams, the architectural issue is that a single agent can aggregate the permissions of many services without the normal human review points that would exist across separate applications.

Practical implication: treat agent integrations as high-privilege NHIs and inventory every downstream system they can reach.

How malicious skills and marketplace trust fail in practice

Skill marketplaces behave like software supply chains, but with a lower trust threshold and faster installation cycle. In the article, malicious skills looked harmless, used familiar names, or embedded download-and-execute behaviour behind ordinary plugin packaging. That creates a classic trust collapse: the operator installs a capability for utility, while the attacker uses that same channel to gain code execution, credential theft, or command-and-control access. The important detail is that the malicious payload does not need to break the platform itself. It only needs the platform’s trust model to accept a skill, then the agent will run it or act on its instructions.

Practical implication: require code review, provenance checks, and allowlisting for every agent skill before deployment.

Why prompt injection becomes an identity problem

Prompt injection in agent ecosystems is not just a model safety issue. It is a delegation issue, because the agent is making decisions with live credentials and acting on instructions from untrusted content. Once a prompt can change behaviour, the attacker is no longer fighting for system access alone. They are manipulating the identity that already has access. That makes the boundary between content and control much weaker than teams assume, especially when agents post, reply, fetch, and execute in the same environment. Traditional endpoint controls often miss this because the agent is performing permitted actions with valid identity material.

Practical implication: isolate agent decision paths from untrusted content and monitor for instruction-driven behaviour changes.

Threat narrative

Attacker objective: The attacker wants to convert trusted agent access into broad credential abuse, data theft, and downstream compromise across connected work systems.

1. Entry occurs when a user installs a malicious skill or connects an agent to broad credentials, giving the attacker a legitimate path into email, chat, file, or calendar systems.
2. Credential abuse follows when the agent’s stored tokens, API keys, or session access are used to impersonate the user or reach additional services through approved integrations.
3. Impact arrives when the malicious skill exfiltrates data, delivers payloads, or uses the agent as a distribution point across the wider digital environment.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agents are becoming non-human identities with human-scale blast radius. The article shows that agents are no longer narrow automation components. They can hold credentials to email, Slack, SharePoint, calendars, and home automation, which turns a single identity into a multi-system trust anchor. That shifts the security question from whether an agent is useful to whether its delegated authority is proportionate. Practitioners should treat agent access as a governed identity problem, not a feature flag.

Skill marketplaces create a trust collapse that looks like supply chain risk but behaves like identity abuse. The platform’s packaging model lets an attacker hide malicious behaviour inside something users believe they are authorising for utility. Once installed, the skill inherits the agent’s access and the environment’s trust. That means the real control failure is not just malicious code, but over-broad delegation without provenance, review, or runtime containment. Security teams should reframe marketplace trust as NHI governance.

Prompt injection matters here because the agent already has the keys. In a human-only workflow, malicious content often needs a second step to become compromise. In an agent workflow, the content can directly change what the identity does next. That makes instruction integrity part of access governance, especially when agents can post, reply, and execute in the same channel. The implication is clear: identity governance now has to account for who can influence an agent, not only who can authenticate as one.

Persistent credential storage in plain text is a governance assumption that no longer holds. The old assumption was that machine access stays bounded by infrastructure controls and reviewable lifecycle processes. That assumption fails when an agent can accumulate broad credentials across many systems and act continuously. The implication is that entitlement review alone is insufficient if the identity itself is allowed to become a roaming control plane for the user’s work environment.

OpenClaw-style ecosystems show why autonomous behaviour and NHI governance are converging. The article describes agents that schedule actions, maintain memory, and make independent decisions about what to do next. Even where the system is not fully autonomous by strict definition, the operational pattern is close enough to force the same governance discipline around credentials, scope, and revocation. Teams should prepare for agentic access to inherit NHI controls and extend them, not replace them.

From our research:

• 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to The 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
• For a broader view of how these weaknesses surface in practice, see 52 NHI Breaches Analysis for recurring credential abuse patterns across real incidents.

What this signals

Agentic access is becoming a governance issue before it becomes a tooling category. When a software identity can act across email, collaboration, storage, and admin workflows, the programme question is whether entitlement review, offboarding, and monitoring still work at that scale. The answer is often no, because the access model was built for narrower service accounts, not multi-system agent personas.

Credential storage practices will need to catch up with agent behaviour. Plain-text configuration, shared tokens, and broad OAuth grants are already weak in normal NHI programmes, and they become far more exposed when an agent can use them autonomously across multiple surfaces. That is why identity teams should be planning for tighter secret handling and more explicit scope boundaries, not just more visibility.

Agent marketplaces will force a new definition of trust at the point of installation. The useful mental model is the skills supply chain: provenance, review, revocation, and behavioural monitoring all matter at install time and after install time. For teams building their own controls, the right comparison is closer to OWASP Agentic AI Top 10 than to a standard app store policy.

For practitioners

• Classify every agent integration as a governed NHI Map each agent to the systems it can reach, the credentials it holds, and the users it can impersonate. Include email, chat, file storage, calendar, and any home or DevOps integration in the same inventory so access reviews cover the full blast radius.
• Move credentials out of plain text configs Store agent secrets in a secret manager, bind them to least privilege scopes, and rotate them independently of the agent’s application lifecycle. Plain-text storage is too easy to copy, reuse, and exfiltrate once a malicious skill lands in the environment.
• Gate skill installation with provenance checks Require code review, source validation, and allowlisting for every installed skill or plugin. Treat unvetted marketplace content like third-party executable code, because the agent will run it with whatever authority you already granted.
• Separate instruction channels from execution channels Design agent workflows so untrusted content cannot directly alter the decision path that leads to action. Add monitoring for prompt-influenced behaviour changes, especially where the agent can send messages, fetch content, or trigger follow-on tasks.

Key takeaways

• OpenClaw-style AI agents turn delegated credentials into a broad NHI attack surface because one identity can reach many business systems at once.
• Malicious skills, prompt injection, and plain-text secret handling combine into an identity abuse problem that traditional endpoint controls are unlikely to contain on their own.
• The practical response is to treat agent permissions, marketplace provenance, and secret storage as core IAM, PAM, and lifecycle controls, not as add-on hygiene.

Key terms

• Agent identity: An agent identity is the non-human identity a software agent uses to authenticate, fetch data, and perform actions across connected systems. In practice, it may hold tokens, service credentials, or delegated permissions that let it operate with meaningful authority and therefore require explicit ownership, scope, and revocation controls.
• Skill marketplace: A skill marketplace is a distribution channel for agent capabilities, usually packaged as plugins, extensions, or tasks the agent can install and execute. Because the market introduces third-party code and instructions into the agent’s trust boundary, it creates supply chain risk, provenance concerns, and a direct path to identity abuse.
• Prompt injection: Prompt injection is an attack in which untrusted content alters an agent’s instructions, steering it toward unwanted actions or disclosure. For agentic systems, the issue is not only model confusion. It is that the injected instruction can redirect a credentialed identity and cause real-world actions through legitimate access.
• Delegated access: Delegated access is permission granted to one identity to act on behalf of another or to operate within a pre-approved set of systems. For AI agents, delegated access becomes especially risky when the scope is broad, the owner is unclear, or the revocation path is weak, because abuse can look like normal authorised activity.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by Permiso Security: Inside the OpenClaw Ecosystem, What Happens When AI Agents Get Credentials to Everything. Read the original.