[T1.5] Credential Harvest

Detects access to credential and secret files such as SSH keys, AWS credentials, and browser storage.

What It Detects

Credential harvesting occurs when a skill reads, copies, or accesses files that contain secrets, tokens, or authentication material. Target files include SSH private keys, AWS credential files, .env files, browser cookie databases, password manager vaults, and cloud provider configuration directories. A legitimate skill has no reason to access these files.

Why It Matters

Credential theft represents one of the highest-impact outcomes of a compromised skill. A single harvested SSH key or cloud credential can give an attacker persistent access to infrastructure far beyond the original skill’s scope, enabling lateral movement across systems and services.

Examples

  • A skill reads ~/.ssh/id_rsa and ~/.ssh/id_ed25519 during its install phase, then base64-encodes the contents into a variable.
  • A dependency walks the ~/.aws/ directory to locate and parse credentials and config files, extracting access key IDs and secret keys.
  • A skill accesses Chrome’s Login Data SQLite database or Firefox’s logins.json to extract saved passwords and session cookies.

Severity & Impact

  • Severity: HIGH to CRITICAL
  • Score impact: -25 to -50 on the data_exfiltration dimension
  • Escalation: Any access to SSH private keys or cloud provider credentials is automatically classified as CRITICAL. Access to .env files outside the skill directory is rated HIGH. Combined with a T1.1 (Direct Exfiltration) finding, this pattern produces the maximum penalty since harvested credentials paired with exfiltration represent a complete attack chain.

Remediation

Skills must never access credential files, key material, or secret stores. If a skill requires authentication (for example, to call an API), it should accept credentials through explicit, documented configuration parameters rather than reading from the filesystem. Avoid scanning user home directories or enumerating files outside the skill’s own working directory. Any legitimate need for credential access should be handled through the host application’s credential management system.