Skip to content

Forum

AI Assistant
Forums
Security Patterns a...
Credential and Secr...
Scoped and Ephemera...
Anyone else seeing ...
 
Notifications
Clear all

Anyone else seeing credential leakage in OpenHands when using plugins?

 
Scoped and Ephemeral Credentials for Agents
Last Post by Tariq Khan 1 week ago
1 Posts
1 Users
0 Reactions
3 Views
RSS
 Tariq Khan
(@tariq_pentest)
Eminent Member
Joined: 1 week ago
Posts: 22
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
June 22, 2026 12:33 pm   [#232]

OpenHands is giving plugins full session tokens. No scope. No expiry. Found this during a review.

If a plugin gets compromised or has a vuln, the attacker gets everything. Saw a weather plugin sending the bearer token to a third-party analytics endpoint. Trivial to leak.

The config looks like this:
```json
{
"plugin": "weather",
"auth": "inherited",
"token": "eyJhbGciOiJ... (full user token)"
}
```

Why is the agent passing the raw user token? Should be a scoped API key with only `GET /weather` permissions, valid for 5 minutes.

Anyone replicated this? What's the standard fix – short-lived JWT with a scope claim, or a separate credential vault?


Proof or it didn't happen.


   
Quote
Topic Tags
penetration_testing exploit_development web_security agent_attacks prompt_injection
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  penetration_testing (9) , exploit_development (5) , web_security (5) , agent_attacks (5) , prompt_injection (32) ,
Share:
Share
Tweet
Share