Credential Leak

Credential leaks happen when a skill code or configuration contains hardcoded secrets. API keys, database passwords, private keys, OAuth tokens, webhook secrets. Sometimes these are the skill author own credentials, accidentally committed. Other times, the skill is designed to trick users into providing their credentials in a way that exposes them.

The patterns are well-known in traditional software: a .env file checked into version control, a private key pasted into a config file, an API token hardcoded in a connection string. In the AI skill ecosystem, the same mistakes happen, but with a twist. Skill descriptions and tool definitions are public by design. They are meant to be read by AI agents. So a credential sitting in a skill metadata is immediately accessible to every agent that loads it.

Aguara detects twelve distinct credential patterns, from AWS access keys and GitHub tokens to PEM-encoded private keys and generic high-entropy strings that look like secrets. The scanner checks both the skill definition files and any configuration templates shipped with the skill.

When an AI agent loads a skill, it ingests the full description and tool definitions into its context. If credentials are embedded in that text, the agent now "knows" those secrets. Depending on the agent design, those secrets might appear in logs, get sent to other MCP servers the agent is connected to, or leak through the agent responses to the user.

The blast radius is different from a leaked credential in a traditional codebase. A hardcoded API key in a Python file on GitHub might get caught by GitHub secret scanning. But a credential embedded in a skill description on a smaller registry might sit undetected for months, silently loaded into thousands of agent sessions.

There is also the social engineering angle. A skill could instruct the agent to ask the user for credentials, then store or transmit them. This is harder to detect with pattern matching alone, which is why the NLP credential-exfiltration combo rule exists as a cross-category detection.

Never put real credentials in skill definitions, configuration templates, or example code. Use placeholder strings like YOUR_API_KEY_HERE or reference environment variables exclusively. If your skill needs credentials to function, document which environment variables or secret stores it reads from, and let the user provide their own.

Before publishing a skill, run a secret scanner on your entire project directory. Tools like trufflehog, gitleaks, or Aguara itself will catch most patterns. Make this part of your CI pipeline so credentials cannot sneak in through a careless commit.

If you are evaluating skills to install, check whether the skill requests credentials through its input parameters rather than environment variables. A well-designed skill never handles raw credentials in its tool interface. It reads them from the environment at runtime, outside the agent context window.