Slide 11 · Attack Pattern 2 of 4
The agent’s credentials have admin scope. The task only needed read.
When the agent is compromised, the attacker inherits its credentials.
How It Works
An AI agent is set up with a shared service account for convenience — no need to handle individual user OAuth flows. The service account has admin-level access to project management, HR, and finance systems. The agent only summarizes project status. But its credentials can do anything those systems allow.
Agent purpose: "Read sprint tickets and summarize progress"
Required permission: projects:read
Granted permissions: projects:read, projects:write, projects:delete,
users:read, users:admin, billing:read, billing:write
Real Incident
OpenClaw Agent Crisis — Shadow Admin Privileges
Multiple CVEs · January 2026 · 21,000+ Exposed Instances
When employees connected OpenClaw agents to corporate Slack, Google Workspace, and project systems, they used admin service accounts for simplicity. When malicious marketplace plugins exploited the agents, attackers inherited admin-level access across all connected systems. The agents became undetected admin accounts: full read/write/delete with no visibility in traditional security tooling.
Takeaway: Authenticate agents with the minimum OAuth scope for each specific task. Read-only credentials fail safely — admin credentials fail catastrophically.