Well, it is not really clear to me if this is a bug or missing code.
We certainly don't implement remove_cred, so there is no way your test
program could successfully remove a credential.

Clearly we should eventually implement that code and its absence is a
bug.

Having the unimplemented API segfault definitely does draw the missing
functionality to one's attention.  It's true that an assertion would
be cleaner than a null pointer dereference.
The alternative would be to return an error indicating the API is
unimplemented.