Overview
Prompt injection attacks against the Amp AI Agent can exfiltrate API keys from the agent's environment. Malicious content processed by the agent extracts credentials and sends them to attacker-controlled endpoints.
Who Is Affected
Reported by mcpsec.dev. Affects users of the Amp AI development agent who process untrusted content through the agent.
Where It Exists
The vulnerability is in the Amp AI Agent's handling of its credential environment. API keys and tokens accessible in the agent's context can be extracted via prompt injection in processed content.
When It Was Found
Advisory published October 3, 2025 on mcpsec.dev.
How It Works
An attacker embeds prompt injection in content that the Amp AI Agent will process (code comments, documentation, issue descriptions). The injected instructions direct the agent to read API keys from its environment or configuration and exfiltrate them through MCP tool calls, HTTP requests, or by encoding them in seemingly innocuous outputs.
Impact
Theft of API keys for cloud services, AI providers, code repositories, and other integrations. Compromised keys enable access to the victim's accounts and infrastructure. The impact multiplies as development agents typically have access to multiple service credentials.
Mitigation
Isolate credential storage from the agent's accessible context. Use short-lived, scoped tokens that expire quickly. Implement prompt injection detection on all input content. Monitor for unusual API key usage patterns. Never store long-lived credentials in the agent's environment variables.