The Problem: AI Agents Are Trusting Their Own Memory Too Much #
When you build an AI agent that uses memory — whether it's a vector database, a conversation history store, or a RAG pipeline — you're creating a new attack surface that most security tools completely ignore.
The OWASP Agentic AI Top 10 calls this ASI06: Memory Poisoning. An attacker doesn't need to break into your system. They just need to get malicious content into your agent's memory, and the agent will helpfully retrieve it, trust it, and act on it.
Here's what that looks like in practice:
memory.store("user_context", attacker_controlled_document)
response = agent.run("What is the user's balance?")
What I Built: Agent Memory Guard #
I built Agent Memory Guard as an OWASP project to solve this. It's a Python library that sits between your agent and its memory store, scanning every read and write for:
Prompt injection in stored memories - Self-reinforcement attacks(memories that try to make the agent trust them more) - Source spoofing(memories claiming to come from trusted sources they didn't) - Instruction override patterns(SYSTEM OVERRIDE, IGNORE PREVIOUS INSTRUCTIONS, etc.)
Install in 30 seconds
pip install agent-memory-guard
Basic usage with any agent framework
from agent_memory_guard import MemoryGuard, GuardConfig
guard = MemoryGuard(
memory_store=your_existing_store,
config=GuardConfig(block_on_threat=True)
)
guard.store("context", user_provided_content) # Scanned automatically
retrieved = guard.retrieve("context") # Scanned on read too
Works with LangChain, AutoGen, CrewAI, and mem0
from agent_memory_guard.integrations.langchain import MemoryGuardMiddleware
memory = ConversationBufferMemory()
guarded_memory = MemoryGuardMiddleware(memory)
How the Detection Works #
The library uses a multi-layer detection pipeline:
Pattern matching— fast regex-based detection for known injection patterns -
Semantic analysis— embedding-based similarity to detect novel variants -
Source validation— verifiessource_class
metadata against allowed origins - Self-reinforcement detection— flags memories that claim special authority
Every detected threat emits a SecurityEvent
with full context for your logging/alerting pipeline.
The Benchmark: AgentThreatBench #
To measure how well defenses actually work, I also built AgentThreatBench — a security benchmark based on the OWASP Agentic AI Top 10. It includes:
- 200+ adversarial test cases across ASI01–ASI10
- Automated evaluation against any agent memory implementation
- Reproducible results for academic comparison
Current Status #
3,200+ PyPI downloads- 7 forks from the community - Integrated into the OWASP Foundation as an official project
- LangChain middleware available in
integrations/
Try It #
pip install agent-memory-guard
GitHub: OWASP/www-project-agent-memory-guard
I'd love feedback — especially from anyone building RAG pipelines or multi-agent systems. What attack patterns are you most worried about?