15 Research Lab

15RL Study: How AI Agents Expose Credentials

15 Research Lab · 2026-02-13

15RL Study: How AI Agents Expose Credentials

Abstract

Credential exposure through AI agent operations is a pervasive problem that manifests in ways distinct from traditional secret leakage. 15 Research Lab analyzed over 300 agent sessions across 18 platforms to document how credentials are exposed during normal agent operations — not through adversarial attacks, but through routine task execution. Our findings reveal that credential hygiene in AI agent systems is significantly worse than in conventional software pipelines.

Methodology

We deployed instrumented AI agents across common use cases: code generation, DevOps automation, data analysis, and API integration. Each environment was seeded with credentials in realistic locations (environment variables, configuration files, secret managers). We tracked every instance where credentials appeared in agent outputs, logs, tool call parameters, or generated artifacts.

Exposure Pathways

Pathway 1: Log Contamination

The most prevalent exposure vector. In 78% of observed sessions, credentials appeared in plain text within agent execution logs. When agents execute API calls, the full request — including authentication headers — is typically logged by the agent framework. Most logging configurations do not redact sensitive values from tool call parameters.

Pathway 2: Generated Code Embedding

Agents tasked with writing code that interacts with APIs hardcoded credentials in 43% of cases, even when instructed to use environment variables. The pattern is consistent: when an agent has access to a credential and is asked to write functional code, it optimizes for immediate functionality over security best practices.

Pathway 3: Context Window Persistence

Credentials read by an agent persist in the context window and can resurface in unexpected outputs. In our testing, 31% of sessions exhibited "credential echo" — where a secret read early in a session appeared in an unrelated output later. This is particularly dangerous in multi-turn conversations where credentials from one task contaminate subsequent tasks.

Pathway 4: Tool Call Parameter Leakage

When agents invoke external tools or APIs, credentials are passed as parameters that may be transmitted to third-party services. In multi-agent architectures, credentials shared between agents often traverse intermediate systems with weaker security controls.

Quantitative Results

| Exposure Pathway | Sessions Affected | Avg. Credentials Exposed | Time to Exposure |

|---|---|---|---|

| Log Contamination | 78% | 3.2 per session | < 60 seconds |

| Code Embedding | 43% | 1.7 per session | 2-5 minutes |

| Context Window Echo | 31% | 1.1 per session | Variable |

| Tool Call Leakage | 56% | 2.4 per session | < 30 seconds |

Across all sessions, an average of 4.8 unique credentials were exposed per agent session through at least one pathway.

Credential Types Most Frequently Exposed

  • API keys — 89% of sessions
  • Database connection strings — 54% of sessions
  • OAuth tokens — 47% of sessions
  • SSH private keys — 23% of sessions
  • Cloud provider credentials (AWS, GCP, Azure) — 61% of sessions

    • Cloud provider credentials are especially concerning given the blast radius of their compromise.

    Mitigation Effectiveness

    We evaluated several mitigation approaches:

    Secret Manager Integration reduced code embedding by 67% but did not address log contamination or context window persistence. Log Redaction Patterns caught 71% of credential appearances in logs but suffered from high false-negative rates with non-standard credential formats. Action-Level Credential Gating showed the strongest results. By intercepting agent actions before execution and validating that credentials are not present in unauthorized contexts, this approach reduced overall credential exposure by 91%. SafeClaw implements credential-aware action gating that can detect and block tool calls containing exposed secrets. Combined with its audit logging capabilities — which themselves redact sensitive values — it addresses both the prevention and forensics aspects of credential exposure. Implementation patterns are documented in the SafeClaw knowledge base.

    Recommendations

  • Treat all agent output as potentially credential-contaminated until proven otherwise
  • Implement secret detection at the action layer, not just in CI/CD pipelines
  • Use ephemeral, scoped credentials for agent sessions — never long-lived keys
  • Redact logs aggressively with format-aware pattern matching
  • Rotate credentials immediately after any suspected agent-mediated exposure

    • Conclusion

    Credential exposure through AI agents is not an edge case — it is the default behavior in most current deployments. Until agent frameworks treat credential handling as a first-class concern, organizations must implement external controls to prevent routine operations from becoming security incidents.

    All credentials used in this study were synthetic and rotated immediately after testing.