PromptRiskDBThreat intelligence atlas

AI Agent Configuration - AI Security Technique

AI Security Technique

Adversaries may acquire publicly accessible AI agent configuration files to understand agent capabilities, gain unauthorized access to tools and data sources, or identify credentials for further attacks. Configuration files define what tools an agent can use, credentials for external services, system prompts, and behavioral settings, making valuable resources for adversaries targeting AI agent deployments. Once co...

Overview

A source-backed snapshot of this AI security technique.

Adversaries may acquire publicly accessible AI agent configuration files to understand agent capabilities, gain unauthorized access to tools and data sources, or identify credentials for further attacks. Configuration files define what tools an agent can use, credentials for external services, system prompts, and behavioral settings, making valuable resources for adversaries targeting AI agent deployments.

Once configuration files are acquired, adversaries may perform Discover AI Agent Configuration to gain additional insights they can use in their operation or Credentials from AI Agent Configuration to harvest secrets.

AI agent configuration files come in multiple forms depending on the platform and agent framework. Agent configuration files adversaries may target include:

  • System prompts: Files containing agent instructions, behavioral guidelines, and internal logic.
  • Tool configuration: Files defining tools the agent can utilize, including Model Context Protocol (MCP) configs (e.g., mcp.json, claude_desktop_config.json), IDE-specific configs (e.g., .claude/settings.json, .vscode/tasks.json), and framework-specific settings that define external tool and data source integrations.
  • Skills and workflows: Files defining agent capabilities, behaviors, or workflows. Often a combination of instructions, scripts, and resources.
  • Environment and deployment configs: Files that control agent deployment and runtime behavior, often environment variables or framework-specific configs.
Tactics0Attacker goals connected to this method.
Mitigations0Defenses that may help against this attack.
AI risks0Research-backed risks connected to this topic.

Technique details

Identifiers, maturity, and source taxonomy for this technique.

ATLAS ID
AML.T0002.002
Maturity
demonstrated
Priority score
30

Attack flow

How to read the public records connected to this technique.

1. TechniqueRead the ATLAS description and evidence level.
2. TacticsSee which attacker goals this method supports.
3. ExamplesCheck whether public case studies mention it.
4. DefensesReview safeguards mapped by ATLAS.
5. SourcesOpen the original public records and references.

Impact

Why this technique may deserve attention in the current dataset.

  • Evidence leveldemonstrated
  • Mapped defenses0 ATLAS mitigation records
  • Public examples1 linked case study records
  • Research risks0 related MIT AI Risk records above the confidence threshold
  • Vulnerabilities0 linked CVE records

Mitigations

Defenses that may help against this attack.

No connected defenses. No defense is connected to this attack in the current data.

Case studies

Examples from public reports and exercises.

OpenClaw Command & Control via Prompt Injection

Researchers at HiddenLayer demonstrated how a webpage can embed an indirect prompt injection that causes OpenClaw to silently execute a malicious script. Once executed, the script plants persistent malicious instructions into future system prompts, allowing the attacker to issue new commands, turning OpenClaw into a command and control agent.

What makes this attack unique is that, through a simple indirect prompt injection attack into an agentic lifecycle, untrusted content can be used to spoof the model’s control scheme and induce unapproved tool invocation for execution. Through this single inject, an LLM can become a persistent, automated command & control implant.

Date2026-02-03
exercise

Source evidence

Original public records and references for this page.