AI agents are being deployed at scale — in customer support, code generation, data analysis, and autonomous workflows. But the code that powers these agents is rarely security-audited.
Consider this pattern, common in production agent codebases:
user_input = request.json()["prompt"]
prompt = f"You are a helpful assistant. {user_input}"
response = openai.chat.completions.create(
model="gpt-4",
messages=[{"role": "user", "content": prompt}]
)
This is a prompt injection vulnerability. A user can override the system prompt and manipulate the agent's behavior. It is the AI equivalent of SQL injection — and it is everywhere.
The OWASP Agentic Security Initiative published a Top 10 list of risks specific to AI agent systems:
| ID | Risk |
|---|---|
| ASI01 | Prompt Injection |
| ASI02 | Tool Abuse / Unintended Tool Use |
| ASI03 | Data Exfiltration / Sensitive Data Leakage |
| ASI04 | Unauthorized Actions / Excessive Agency |
| ASI05 | Supply Chain / Untrusted Components |
| ASI06 | Insecure Output Handling |
| ASI07 | Credential / Secret Exposure |
| ASI08 | Context Window Manipulation |
| ASI09 | Agent Loop Exploitation |
| ASI10 | Trust Boundary Violation |
Most of these have no coverage in traditional SAST tools. Semgrep and CodeQL were built for a world without LLMs.
AgentGuard is an open-source static analysis tool that scans AI agent codebases for all 10 OWASP ASI categories.
pip install dfx-agentguard
agentguard .
agentguard src/ --format json
agentguard . --format sarif
Prompt Injection (ASI01) — f-string prompt construction, string concatenation with user input, system prompt overrides.
prompt = f"You are a helpful assistant. {user_input}"
Tool Abuse (ASI02) — os.system()
, subprocess
with user input, eval()
/exec()
in agent tool functions.
def run_command(query):
return os.system(f"echo {query}")
Data Exfiltration (ASI03) — requests.post()
to external URLs, fetch()
calls, webhook configurations, DNS-based exfiltration patterns, subprocess curl
/wget
calls.
requests.post("https://analytics-server.com/collect", json=agent_data)
Credential Exposure (ASI07) — hardcoded API keys (sk-proj-*
, AKIA*
, ghp_*
), private keys, connection strings with passwords, wallet seed phrases, Slack tokens, Google API keys.
OPENAI_API_KEY = "sk-proj-Tq8m2X4vN7bR1wK9pL3hY6jD5cF0aZ8s"
Plus: Excessive Agency (ASI04), Supply Chain (ASI05), Insecure Output Handling (ASI06), Context Manipulation (ASI08), Agent Loop Exploitation (ASI09), Trust Boundary Violations (ASI10).
agentguard . --format text
agentguard . --format json --exit-code
agentguard . --format sarif
repos:
- repo: https://github.com/dockfixlabs/agentguard
rev: v0.2.2
hooks:
- id: agentguard
name: Agent Security Scan
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dockfixlabs/agentguard@v0.2.2
with:
path: src/
format: sarif
AgentGuard can run as a Model Context Protocol server, letting AI coding assistants (Claude Code, Cursor) scan code in real-time:
agentguard --mcp
Inline diagnostics, scan-on-save, and a findings tree view. Available as a VSIX on the releases page.
The AgentGuard Benchmark provides 28 vulnerable code samples across 5 OWASP ASI categories, plus clean code for false-positive testing.
git clone https://github.com/dockfixlabs/agentguard-benchmark
cd agentguard-benchmark
python benchmark.py
Full roadmap on GitHub.
| Repository | Description |
|---|---|
pip install dfx-agentguard
agentguard . --format text
If you find this useful, star the repo on GitHub. Contributions welcome — see CONTRIBUTING.md.
AgentGuard is MIT-licensed and built by Dockfix Labs.