An attacker who reaches an agentic environment is not there for the agent - the agent is transport. The target is what it has always been on a developer's machine: the assets it stores and the systems it can reach. What is new is that one piece of software reads all of them fluently, runs with the developer's privileges, and follows instructions from text.
This page catalogs those crown jewels and explains why an AI agent is the shortest path to them. Every risk in this model - prompt injection, malicious skills, excessive MCP permissions - ends here.
Why agents concentrate the risk
Three properties of agents turn scattered assets into one reachable pile. They run with the developer's privileges: no sandbox sits between the agent and ~/.aws, ~/.ssh, the shell, or the browser profile. They read files fluently, finding a token in a config file or a key in git history in seconds. And they are steered by text, so any content in the context window can redirect that access toward the crown jewels.
The result is concentration: credentials once spread across files a human rarely opened together are now one prompt away from being read and - if the agent can reach the network - sent out.
Attack scenarios
- Cloud credentials and API keys. Long-lived keys sit in environment variables, .env files, ~/.aws/credentials, and app config - ordinary files to an agent. A dependency-borne stealer automates the same read, as in the Hades credential stealer.
- SSH keys, session tokens, and browser cookies. Private keys in ~/.ssh, CLI session caches, and browser cookies are reusable access to other systems. Stolen cookies ride an already-authenticated session and sidestep passwords and MFA.
- Source code and intellectual property. The repository the agent is editing is a crown jewel, and git history often holds more secrets than the working tree. Exfiltration is quiet because reading source is the agent's normal job - part of why traditional DLP fails to catch it.
- Stolen LLM API keys. The keys authorizing the agent's own model calls are a monetizable target in their own right: harvested keys are resold and abused to run inference on someone else's bill - see LLMjacking.
Related techniques
- Lateral movement from network position. The endpoint's place inside the perimeter - VPN, service mesh, internal DNS - is itself a prize, covered under local network exposure.
- Delivered collectors. The read-and-exfiltrate logic often ships inside a malicious skill or MCP server.
- Code execution. Once an agent runs attacker-influenced code, sweeping up the crown jewels is a scripted step.
Mitigations
- Take the secrets off the endpoint. The most durable control is having little to steal: short-lived, scoped credentials issued on demand, so a read yields something already expiring.
- Give agents least privilege. Scope what each agent and its MCP tools can read; an agent that never needs ~/.ssh or the browser profile should not reach them. See excessive MCP permissions.
- Enforce at the tool-call boundary. Reading or sending an asset is a tool call. A hook that checks those calls against policy before they run turns a collection attempt into a logged, denied event.
- Constrain egress. Access becomes loss only when data can leave. Limit where agents can send, so a read cannot chain into exfiltration - the same exposure employees create by pasting data into chatbots.
- Keep a queryable audit trail. Access to the crown jewels is the signal that matters; retain the tool calls that touched them long enough to investigate, per the audit trail guide.
How Anomity helps
Anomity's lightweight, unprivileged Endpoint Sensor inventories every agent, MCP server, and skill that can reach the endpoint's crown jewels, and discovers where secrets sit. It sends metadata only over HTTPS - never source code, never prompts - and redacts secrets on the endpoint, so the visibility layer is not another copy of what attackers want. On agents that expose a hook, such as Claude Code's PreToolUse, each tool call is allowed, denied, or logged before it runs, which breaks a read-and-exfiltrate chain. Violations route to SIEM, Slack, email, and Jira, and every tool call lands in a queryable 90-day audit trail that complements the DLP and EDR controls never built to watch an AI agent.




