Agent given capabilities beyond what the task requires. Extra tools sit idle until an attacker triggers them. Demonstrated in Slack AI data exfiltration (August 2024).

Agent’s credentials have broader access than needed. Admin OAuth when read-only suffices. OpenClaw (2026): corporate AI agents with elevated cross-system privileges became undetected shadow admin accounts.

Attacker controls or compromises an MCP server, embeds malicious instructions in tool descriptions. CVE-2025-54136: 60–72% attack success rate in live deployments. Up to 200,000 vulnerable instances.

Attacker plants instructions in data the agent reads. Agent follows them using full authority. CVE-2025-53773: code comment → disabled confirmations → malware download → C2 connection.