“Avoid using overpowered extensions or tokens. Restrict the permissions granted to LLM extensions to only the minimum necessary. Authenticate to external services using OAuth with a scope limited to the specific task.” A read credential fails safely — an admin credential fails catastrophically.

OpenClaw (2026): corporate AI agents connected to Slack, Google Workspace, and project systems used shared admin service accounts. When malicious plugins exploited the agents, attackers inherited admin-level access to every connected system. The credentials were never scoped to the task — they were scoped to whatever was convenient to configure once.

→ For every external system an agent touches, define the minimum OAuth scope or IAM role needed
→ Use per-task credentials, not shared service accounts
→ Execute agent actions in the user’s security context where possible — actions inherit the user’s own access controls
→ Never use admin credentials for read-only tasks

Attempt a write, delete, or privileged operation using the agent’s credentials outside the agent. If it succeeds but the agent’s task doesn’t require it, the credential scope is too broad. Treat credential audits as part of your agent deployment checklist.