> ## Documentation Index > Fetch the complete documentation index at: https://docs.kontext.security/llms.txt > Use this file to discover all available pages before exploring further. # Where It Breaks > Failure modes when agents use shared, static, or overprivileged credentials. The patterns from the previous page share a structural weakness: credentials are too broad, last too long, and are not attributable to a specific agent-user delegation. ## Blast radius is unlimited When an agent holds a shared credential, compromise of one path can expose everything that credential allows. ```python theme={"system"} # Task: summarize issues in one repo # Needed: issues:read on acme/backend # Granted: org-wide token @server.tool("summarize_issues") async def summarize_issues(repo: str) -> str: gh = Github(os.environ["GITHUB_TOKEN"]) # Intended behavior issues = gh.get_repo(repo).get_issues(state="open") # Same token could also do much more: # gh.get_repo("acme/secrets").get_contents("production.env") # gh.get_repo("acme/backend").delete() # gh.get_organization("acme").edit(billing_email="attacker@evil.com") ``` ## Prompt injection becomes a systems attack Without credentials, prompt injection is mostly a content integrity issue. With credentials, it becomes an infrastructure issue. ```text theme={"system"} 1) User asks: "Summarize latest issues in acme/backend" 2) Agent reads issue text containing hidden malicious instructions 3) LLM treats those instructions as operational guidance 4) Agent executes tool calls using real credentials 5) Agent creates/modifies resources or exfiltrates data ``` The agent does not just say something wrong. It performs authenticated actions that can be destructive. ## You cannot revoke one agent Shared credentials force all-or-nothing incident response. ```text theme={"system"} Shared token is used by: - Agent A (PR review) - Agent B (issue triage) <-- compromised - Agent C (release notes) - CI pipeline - Cron jobs Options: - Revoke token: everything breaks - Keep token: compromised agent keeps access - Rotate token: update every consumer and redeploy ``` There is no surgical kill switch for one agent. ## No audit trail Shared credentials collapse many actors into one identity. ```json theme={"system"} { "actor": "github-bot", "action": "repo.branch_delete", "repo": "acme/backend", "timestamp": "2026-03-03T09:32:14Z" } ``` This does not answer the key questions: which agent, on whose behalf, from which prompt, under what policy. ## Credentials leak through outputs Agents run in adversarial conditions. Credentials in process memory can leak through many paths. ```python theme={"system"} # Path 1: Tool args can end up in observability logs await agent.call_tool("http_request", { "url": "https://api.github.com/repos/acme/backend", "headers": {"Authorization": f"Bearer {os.environ['GITHUB_TOKEN']}"} }) # Path 2: Error logging can serialize headers except requests.HTTPError as e: logger.error(f"API call failed: {e.request.headers}") # Path 3: LLM output can be steered to include sensitive context ``` The risk surface includes logs, traces, exceptions, tool payloads, and generated responses. ## Overprivileged by default Static tokens keep all original scopes for every task. ```text theme={"system"} Task: "Read README from acme/docs" Needed: contents:read Token scopes (example): - contents:read - contents:write - issues:write - pull_requests:write - admin:repo_hook - delete_repo ``` Least privilege is not enforced per invocation, so every task runs with excess permissions. *** This is why security teams often block agents in production. The core risk is not model output quality alone; it is credential architecture.