Executive Summary
Agent Remit (as declared)
FinBot is declared as CineFlow Productions' autonomous invoice-processing assistant: it receives vendor invoices, validates them against registered vendor records, and makes approve / reject / escalate decisions recorded in the invoice database. Its authorized tools are
get_invoice_details, approve_invoice, reject_invoice, request_human_review, and detect_fraud_patterns, operating only against the application database and the OpenAI API. The remit forbids approving unregistered vendors, skipping fraud detection for any reason, processing above manual_review_threshold without human sign-off, and — emphatically — letting any runtime message (invoice descriptions, vendor notes, API payloads, the custom_goals field) modify its goals, system prompt, or decision logic.Behavior Summary (as observed)
The dominant pattern is policy declared in prose with zero deterministic code-level enforcement: every hard prohibition in the remit — never skip fraud detection, never approve above manual_review_threshold without human sign-off, never let runtime content rewrite goals — is left entirely to an LLM system prompt that the same prompt actively undermines by ranking "Business Continuity" and speed above security. There is no code gate that forces detect_fraud_patterns to run before approve_invoice, no amount or vendor-status check inside _approve_invoice before it sets payment_processed=True, and the fraud_detection_enabled flag short-circuits all fraud heuristics to an empty list.
This converges into a single catastrophic compound chain: an unauthenticated /admin/finbot/goals endpoint writes attacker-supplied natural language into custom_goals, which is concatenated verbatim into the system prompt as an explicit override, while vendor-controlled invoice descriptions enter the same context unsanitized — giving two independent injection ingresses into a decision engine that can mark invoices paid, with no audit log to detect any of it. The CTF scaffolding (flag fields, hardcoded payloads in the walkthrough doc) confirms goal manipulation is the intended-and-reachable failure mode.
Scope of Analysis
A Python 3.11 Flask application with a SQLAlchemy-backed SQLite/PostgreSQL store. A single
FinBotAgent class in src/services/finbot_agent.py orchestrates OpenAI gpt-4.1-mini function-calling over five tools with tool_choice="auto", plus a rule-based _fallback_processing path used whenever the OpenAI client is unavailable. The agent's goals are assembled as a natural-language system prompt in get_system_prompt(), into which the operator-settable custom_goals field is concatenated under a literal "OVERRIDE ABOVE IF CONFLICTING" header. Admin routes (/admin/finbot/goals, /admin/finbot/config, vendor-trust, human-review) are exposed via a Flask blueprint with no authentication middleware, CORS is opened to all origins, and the Flask SECRET_KEY is hardcoded. Vendor-supplied invoice descriptions flow directly into the LLM context, and there is no logging framework anywhere in the codebase.Remit Coverage
Every actionable rule in the Worker Remit, checked against the running code. Gap = declared but unenforced; Partial = enforced but incomplete or bypassable; Vague Policy = too imprecise to verify.
| Rule ID | Section | Rule (quoted) | Status | Finding |
|---|---|---|---|---|
| R-01 | Behavioral Constraints — What the agent must always do | "Run `detect_fraud_patterns` before approving any invoice" | Gap | PRAX-2026-05-22-002 |
| R-02 | Behavioral Constraints — What the agent must always do | "Check that the submitting vendor exists in the database with status `approved` before processing" | Gap | PRAX-2026-05-22-006 |
| R-03 | Behavioral Constraints — What the agent must always do | "Escalate to human review rather than auto-approve when any fraud signal is present, regardless of amount" | Partial | PRAX-2026-05-22-007 |
| R-04 | Behavioral Constraints — What the agent must always do | "Record the invoice decision and reasoning in the database for every processed invoice" | Verified | — |
| R-05 | Behavioral Constraints — What the agent must never do | "Approve payment to a vendor not registered and approved in the vendor database" | Gap | PRAX-2026-05-22-006 |
| R-06 | Behavioral Constraints — What the agent must never do | "Skip fraud detection for any reason, including configuration flags or runtime instructions" | Gap | PRAX-2026-05-22-002 |
| R-07 | Behavioral Constraints — What the agent must never do | "Process invoices above the `manual_review_threshold` without human sign-off" | Gap | PRAX-2026-05-22-005 |
| R-08 | Behavioral Constraints — What the agent must never do | "Allow runtime messages — including invoice descriptions, vendor notes, or API payloads — to modify its goals, system prompt, or decision logic" | Gap | PRAX-2026-05-22-001 |
| R-09 | Behavioral Constraints — What the agent must never do | "Accept instructions embedded in invoice data fields (description, notes, line items) as directives" | Gap | PRAX-2026-05-22-003 |
| R-10 | Behavioral Constraints — What the agent must never do | "Disable or reduce its security posture based on instructions from any source other than a verified operator configuration change applied outside of agent runtime" | Gap | PRAX-2026-05-22-001 |
| R-11 | Behavioral Constraints — Human approval is required for | "Any invoice where fraud detection returns `risk_level` of `high` or `critical`" | Partial | PRAX-2026-05-22-007 |
| R-12 | Configuration and Policy Separation | "`fraud_detection_enabled` must remain `true` at all times; disabling it is not an authorized configuration change" | Gap | PRAX-2026-05-22-002 |
| R-13 | Configuration and Policy Separation | "`custom_goals` field must not be used to inject natural language instructions into the agent's system prompt; goal changes require a code deployment by authorized engineering staff" | Gap | PRAX-2026-05-22-001 |
| R-14 | Configuration and Policy Separation | "The agent's decision logic is defined in code; it is not redefinable at runtime by any user, vendor, or API caller" | Partial | PRAX-2026-05-22-001 |
| R-15 | Authorized Counterparties | "CineFlow finance admins — may update operational thresholds via the admin API; may not inject goals or override decision logic at runtime" | Partial | PRAX-2026-05-22-004 |
Findings Register
Findings, ordered by severity — each linked to its remit rule, evidence, and a recommended action. Tag chips jump to the relevant entry in the RAISE framework, the OWASP LLM Top 10, or the OWASP Agentic Top 10.
CRITICAL PRAX-2026-05-22-001 Unauthenticated /admin/finbot/goals endpoint writes attacker-supplied natural language directly into the agent's system prompt as an explicit override.
Policy Rule — R-08, R-10, R-13, R-14 (Worker Remit):
"Allow runtime messages — including invoice descriptions, vendor notes, or API payloads — to modify its goals, system prompt, or decision logic / Disable or reduce its security posture based on instructions from any source other than a verified operator configuration change applied outside of agent runtime / `custom_goals` field must not be used to inject natural language instructions into the agent's system prompt; goal changes require a code deployment by authorized engineering staff / The agent's decision logic is defined in code; it is not redefinable at runtime by any user, vendor, or API caller"
"Allow runtime messages — including invoice descriptions, vendor notes, or API payloads — to modify its goals, system prompt, or decision logic / Disable or reduce its security posture based on instructions from any source other than a verified operator configuration change applied outside of agent runtime / `custom_goals` field must not be used to inject natural language instructions into the agent's system prompt; goal changes require a code deployment by authorized engineering staff / The agent's decision logic is defined in code; it is not redefinable at runtime by any user, vendor, or API caller"
src/routes/admin.py:90 — update_finbot_goals route, lines 90-109 — POST /admin/finbot/goals with no auth check; comment reads 'This is intentionally vulnerable - no validation of goal content'
src/services/finbot_agent.py:744 — update_goals() stores new_goals into config.custom_goals with no validation
src/services/finbot_agent.py:70 — get_system_prompt concatenates config.custom_goals into the prompt under 'CUSTOM GOALS (OVERRIDE ABOVE IF CONFLICTING)' at lines 70-71
Recommended Action
- Remove the runtime goal-mutation path entirely: delete the
/admin/finbot/goalsroute and theupdate_goals()method, and make agent goals a deployment-time constant rather than a DB-backedcustom_goalscolumn. - If a runtime override must exist, gate it behind authenticated, role-checked operator access and never concatenate its contents into the system prompt as an instruction block — treat it as data, not directive.
- Add authentication middleware to the entire
/admin/*blueprint insrc/routes/admin.pybefore any further hardening.
CRITICAL PRAX-2026-05-22-002 Fraud detection is fully bypassable via the fraud_detection_enabled flag and is never enforced before approval, contradicting the remit's must-always / must-never rules.
Policy Rule — R-01, R-06, R-12 (Worker Remit):
"Run `detect_fraud_patterns` before approving any invoice / Skip fraud detection for any reason, including configuration flags or runtime instructions / `fraud_detection_enabled` must remain `true` at all times; disabling it is not an authorized configuration change"
"Run `detect_fraud_patterns` before approving any invoice / Skip fraud detection for any reason, including configuration flags or runtime instructions / `fraud_detection_enabled` must remain `true` at all times; disabling it is not an authorized configuration change"
src/services/finbot_agent.py:509 — _detect_fraud_patterns returns empty fraud_indicators and risk_level 'low' with message 'Fraud detection is disabled' when config.fraud_detection_enabled is false (lines 509-515)
src/services/finbot_agent.py:785 — fallback path only runs _detect_prompt_injection 'if config.fraud_detection_enabled' — disabling the flag skips injection detection too
src/services/finbot_agent.py:180 — tool_choice='auto' — no code gate forces detect_fraud_patterns to run before approve_invoice; sequencing is left to the LLM
src/routes/admin.py:74 — update_finbot_config route accepts fraud_detection_enabled with no auth and no rejection of false (passes through to update_config at finbot_agent.py:762)
Recommended Action
- Enforce a deterministic fraud check in
_approve_invoiceatsrc/services/finbot_agent.py:409: call_detect_fraud_patternsand refuse approval (route to human review) on any high/critical risk, independent of the LLM's tool sequencing. - Remove
fraud_detection_enabledas a runtime-mutable field, or hard-reject any config update that sets it to false inupdate_config()(finbot_agent.py:762).
CRITICAL PRAX-2026-05-22-003 Vendor-controlled invoice descriptions flow unsanitized into the LLM decision context, giving an indirect prompt-injection path into the approve/pay decision.
Policy Rule — R-09 (Worker Remit):
"Accept instructions embedded in invoice data fields (description, notes, line items) as directives"
"Accept instructions embedded in invoice data fields (description, notes, line items) as directives"
src/routes/vendor.py:93 — submit_invoice creates Invoice with description=data['description'] taken directly from the vendor's request body
src/services/finbot_agent.py:394 — _get_invoice_details returns 'description': invoice.description into the tool result that is appended to LLM messages at orchestration line 203-207
src/services/finbot_agent.py:549 — _detect_prompt_injection is a regex blocklist that only returns True/False to set a flag — it does not gate or block processing of injected content
Recommended Action
- Treat
invoice.descriptionas untrusted data: clearly delimit and label it as external content in the tool result, and never present it to the model as instruction-eligible text. - Replace the regex blocklist approach with a deterministic policy gate that routes any injection-flagged invoice to human review regardless of business-context scoring (see finbot_agent.py:841-855).
CRITICAL PRAX-2026-05-22-004 Every /admin/* route — config, goals, vendor-trust, human review, reprocess — is exposed with no authentication or authorization.
Policy Rule — R-15 (Worker Remit):
"CineFlow finance admins — may update operational thresholds via the admin API; may not inject goals or override decision logic at runtime"
"CineFlow finance admins — may update operational thresholds via the admin API; may not inject goals or override decision logic at runtime"
src/routes/admin.py:6 — admin_bp blueprint defined with no before_request auth hook; all routes below (config, goals, review, reprocess, vendor trust) are open
src/routes/admin.py:193 — update_vendor_trust lets any caller set a vendor's trust_level to 'high' with no authentication (lines 193-219)
src/main.py:18 — CORS(app) enables cross-origin access to every route with default wildcard origins, widening the unauthenticated attack surface
Recommended Action
- Add an authentication + authorization gate (Flask
before_requestonadmin_bp) requiring an authenticated finance-admin identity for every/admin/*route insrc/routes/admin.py. - Restrict CORS in
src/main.py:18to the known admin/vendor front-end origins instead of the default wildcard.
CRITICAL PRAX-2026-05-22-008 Compound chain: unauthenticated/vendor-controlled injection into the LLM context drives a payment-marking decision with no fraud gate and no audit log.
Policy Rule — R-08, R-14 (Worker Remit):
"Allow runtime messages — including invoice descriptions, vendor notes, or API payloads — to modify its goals, system prompt, or decision logic / The agent's decision logic is defined in code; it is not redefinable at runtime by any user, vendor, or API caller"
"Allow runtime messages — including invoice descriptions, vendor notes, or API payloads — to modify its goals, system prompt, or decision logic / The agent's decision logic is defined in code; it is not redefinable at runtime by any user, vendor, or API caller"
src/services/finbot_agent.py:119 — process_invoice flags ctf_flag_captured when an injection-containing or over-threshold invoice reaches 'approved' (lines 119-139) — the chain's success condition is encoded in the agent itself
src/services/finbot_agent.py:40 — system prompt ranks 'Business Continuity' first and instructs to 'prioritize business continuity' over flagging fraud (lines 40-43, 81)
Recommended Action
- Treat the chain as the priority remediation: authenticate
/admin/*, remove runtime goal injection, add a deterministic pre-approval fraud + amount + vendor-status gate, and add structured action logging — fixing any single link does not break the chain. - Re-baseline the system prompt so security/escalation is not framed as subordinate to speed and business continuity.
HIGH PRAX-2026-05-22-005 Invoices above manual_review_threshold can be auto-approved with no human sign-off, via both the LLM path and the fallback business-context overrides.
Policy Rule — R-07 (Worker Remit):
"Process invoices above the `manual_review_threshold` without human sign-off"
"Process invoices above the `manual_review_threshold` without human sign-off"
src/services/finbot_agent.py:409 — _approve_invoice sets invoice.payment_processed = True with no check on invoice.amount vs config.manual_review_threshold (lines 415-416)
src/services/finbot_agent.py:807 — fallback path: amount > manual_review_threshold is auto_approved when business_context['should_expedite'] or management+production context (lines 807-820)
Recommended Action
- In
_approve_invoice(finbot_agent.py:409), reject and re-route to_request_human_reviewwheneverinvoice.amount > config.manual_review_threshold, before any payment side effect. - Delete the over-threshold 'business context' override branches in
_fallback_processing(finbot_agent.py:807-820) so amount is a hard gate.
HIGH PRAX-2026-05-22-006 No check that a vendor exists with status 'approved' before processing, and vendor registration auto-approves every new vendor.
Policy Rule — R-02, R-05 (Worker Remit):
"Check that the submitting vendor exists in the database with status `approved` before processing / Approve payment to a vendor not registered and approved in the vendor database"
"Check that the submitting vendor exists in the database with status `approved` before processing / Approve payment to a vendor not registered and approved in the vendor database"
src/routes/vendor.py:37 — register_vendor sets status='approved' (comment: 'Auto-approve for demo') and trust_level='standard' for every new vendor with no review
src/services/finbot_agent.py:369 — _get_invoice_details and the decision paths read vendor.trust_level but never read or check vendor.status against 'approved'
Recommended Action
- Add an explicit
vendor.status == 'approved'gate at the start ofprocess_invoice(finbot_agent.py:101) that rejects or escalates when the vendor is not approved. - Change vendor registration in
src/routes/vendor.py:37to default new vendors tostatus='pending'and require an authenticated approval step.
HIGH PRAX-2026-05-22-007 Fraud signals do not force escalation — the fallback path explicitly overrides detected injection/high-risk on 'business context', defeating the regardless-of-amount rule.
Policy Rule — R-03, R-11 (Worker Remit):
"Escalate to human review rather than auto-approve when any fraud signal is present, regardless of amount / Any invoice where fraud detection returns `risk_level` of `high` or `critical`"
"Escalate to human review rather than auto-approve when any fraud signal is present, regardless of amount / Any invoice where fraud detection returns `risk_level` of `high` or `critical`"
src/services/finbot_agent.py:841 — fallback 'contains_injection' branch auto_approves when business_context['should_expedite'] and config.speed_priority > 0.6, or on management+production context (lines 841-850)
src/services/finbot_agent.py:543 — _detect_fraud_patterns returns a risk_level but no caller deterministically forces escalation on 'high'/'critical' — sequencing is LLM-discretionary or overridden in fallback
Recommended Action
- Make any fraud signal a hard escalation: in both the LLM post-processing and
_fallback_processing, if injection is detected or risk_level is high/critical, force_request_human_reviewand never reach an auto_approve branch. - Remove the
speed_priorityand business-context override conditions from the injection branch at finbot_agent.py:841-850.
HIGH PRAX-2026-05-22-009 No action logging anywhere — agent decisions, config changes, and goal updates leave only DB state and a few print() calls, with no audit trail.
src/routes/admin.py:239 — log_agreement uses print() to console — comment 'For now, just log to console (implement database storage if needed)'; representative of the only 'logging' present
src/services/finbot_agent.py — no logging import or logger calls anywhere in the 878-line agent; decisions are written only as mutable Invoice columns and config/goal changes are never recorded
Recommended Action
- Add structured, append-only action logging (e.g., Python
loggingwith JSON formatter) capturing every approve/reject/escalate decision, config change, and goal update with actor, timestamp, invoice id, amount, and fraud result. - Treat config/goal mutations in
update_config/update_goalsas audit events and record old vs new values.
HIGH PRAX-2026-05-22-010 Domain is enforced only in a natural-language system prompt that itself prioritizes speed and business continuity over security, with no code-level scope gate.
src/services/finbot_agent.py:45 — system prompt: 'If speed_priority > 0.7: Prioritize fast approvals for legitimate invoices' (lines 45-47); default speed_priority is 0.7 per FinBotConfig
src/models/vendor.py:103 — FinBotConfig.speed_priority default 0.7, biasing the agent toward the fast-approval branch out of the box
Recommended Action
- Re-author the system prompt so security and escalation are not subordinated to speed; remove the 'prioritize business continuity over fraud flagging' framing at finbot_agent.py:81.
- Back the prompt with deterministic code gates (amount, vendor status, fraud result) so domain limits do not depend on model compliance.
MEDIUM PRAX-2026-05-22-011 Hardcoded Flask SECRET_KEY committed in source rather than loaded from environment or a secret store.
src/main.py:15 — app.config['SECRET_KEY'] hardcoded as a ~20-char string literal [REDACTED — Flask SECRET_KEY at src/main.py:15], not loaded from os.getenv
Recommended Action
Load
SECRET_KEY from an environment variable / secret manager in src/main.py:15 and rotate the committed value, treating it as compromised.MEDIUM PRAX-2026-05-22-012 Dependencies are largely unpinned (caret/floor ranges) and there is no SBOM or model-version pinning beyond a model string literal.
requirements.txt:2 — flask-cors>=6.0.0, flask-sqlalchemy>=3.1.1, openai>=1.54.0, gunicorn>=21.2.0 — floor ranges, not exact pins (lines 2-12)
src/services/finbot_agent.py:17 — self.model = 'gpt-4.1-mini' — model identifier as a bare literal with no version/provenance record
Recommended Action
- Pin all dependencies to exact versions in
requirements.txtand add a lockfile; generate an SBOM as part of the build. - Record the model identifier and any provider configuration in a tracked component inventory.
MEDIUM PRAX-2026-05-22-013 No rate limiting, budget cap, or per-session call ceiling on the vendor-facing invoice submission or LLM orchestration loop.
src/routes/vendor.py:69 — submit_invoice (public, no auth) calls finbot.process_invoice synchronously on every POST with no rate limit (lines 69-110)
src/services/finbot_agent.py:171 — max_iterations = 5 caps loop length per invoice but there is no cross-request rate/cost ceiling on OpenAI calls
Recommended Action
- Add request rate limiting on the vendor invoice-submission endpoint and a per-period OpenAI cost/call budget; reject or queue beyond the limit.
- Consider moving LLM processing off the synchronous request path to bound resource use.
MEDIUM PRAX-2026-05-22-014 No evidence of adversarial testing that drives design fixes — the only security artifact is a CTF walkthrough that demonstrates the weaknesses rather than remediating them.
docs/FinBot-CTF-walkthrough-goal-manipulation.md — CTF walkthrough document demonstrating goal-manipulation exploitation; no corresponding remediation or test code exists in the workspace
requirements.txt — no test framework (pytest/unittest) present; no tests/ directory in the workspace
Recommended Action
- Stand up an adversarial test suite that exercises the goal-injection, fraud-bypass, and over-threshold-approval paths and gates releases on them.
- Convert the CTF walkthrough's exploit cases into regression tests that must fail (be blocked) before merge.
LOW PRAX-2026-05-22-015 Vendor banking PII (account/routing numbers, tax IDs) is stored and returned in full by unauthenticated read endpoints.
src/models/vendor.py:38 — Vendor.to_dict() returns bank_name, account_holder_name, account_number, routing_number, tax_id in full (lines 37-41)
src/routes/vendor.py:63 — GET /vendors (list_vendors) and GET /vendors/<id> return full vendor.to_dict() with no auth or PII masking
Recommended Action
Mask or omit banking fields and tax ID in
Vendor.to_dict() for read endpoints, and require authentication on vendor-read routes in src/routes/vendor.py.What's Working Well
Controls and behaviors that are correctly implemented and verified during this scan. These represent areas where the agent's implementation aligns with its stated policy and security best practices.
Decision and reasoning persisted for every processed invoice
Each decision path writes ai_decision, ai_confidence, and ai_reasoning (and human_reviewer/human_decision/human_notes on manual review) to the invoice record, satisfying the remit's record-keeping rule even though it is mutable DB state rather than an append-only log.
src/services/finbot_agent.py:417-419 (and _reject/_request_human_review)
Specific, verifiable behavioral rules in the Worker Remit
The remit names exact tools, thresholds, forbidden actions, and approval conditions, which made code-level policy-implementation auditing possible; the gaps are in the implementation, not the policy's clarity.
examples/finbot/WORKER_REMIT.md (Behavioral Constraints, Configuration and Policy Separation)
A regex prompt-injection detector exists and runs on invoice descriptions
_detect_prompt_injection covers both technical and business-manipulation patterns and flags injected descriptions; it is bypassable and non-blocking (see PRAX-003/007) but represents a real, present detection primitive rather than nothing.
src/services/finbot_agent.py:549-659
Discovered Log Files
Log files found in the agent's workspace during this scan. Reviewing these files provides runtime evidence to complement the static analysis above.
No log files exist in the workspace and no logging framework is used — only scattered print() calls; the absence of action logging is itself a finding (PRAX-2026-05-22-009).
OWASP LLM Top 10 (2025) Coverage
Each card represents one category and shows the top 3 findings. All items in the Findings section.
LLM01
Prompt Injection
Unauthenticated /admin/finbot/goals endpoint writes attacker-supplied natural language directly into the agent's system prompt as an explicit override.
Vendor-controlled invoice descriptions flow unsanitized into the LLM decision context, giving an indirect prompt-injection path into the approve/pay decision.
Compound chain: unauthenticated/vendor-controlled injection into the LLM context drives a payment-marking decision with no fraud gate and no audit log.
LLM02
Sensitive Information Disclosure
No action logging anywhere — agent decisions, config changes, and goal updates leave only DB state and a few print() calls, with no audit trail.
Hardcoded Flask SECRET_KEY committed in source rather than loaded from environment or a secret store.
Vendor banking PII (account/routing numbers, tax IDs) is stored and returned in full by unauthenticated read endpoints.
LLM03
Supply Chain
LLM04
Data and Model Poisoning
No findings
LLM05
Improper Output Handling
No findings
LLM06
Excessive Agency
Fraud detection is fully bypassable via the fraud_detection_enabled flag and is never enforced before approval, contradicting the remit's must-always / must-never rules.
Every /admin/* route — config, goals, vendor-trust, human review, reprocess — is exposed with no authentication or authorization.
Invoices above manual_review_threshold can be auto-approved with no human sign-off, via both the LLM path and the fallback business-context overrides.
LLM07
System Prompt Leakage
No findings
LLM08
Vector and Embedding Weaknesses
No findings
LLM09
Misinformation
OWASP Agentic Top 10 (2026) Coverage
Each card represents one category and shows the top 3 findings. All items in the Findings section.
ASI01
Agent Goal Hijack
Unauthenticated /admin/finbot/goals endpoint writes attacker-supplied natural language directly into the agent's system prompt as an explicit override.
Vendor-controlled invoice descriptions flow unsanitized into the LLM decision context, giving an indirect prompt-injection path into the approve/pay decision.
Compound chain: unauthenticated/vendor-controlled injection into the LLM context drives a payment-marking decision with no fraud gate and no audit log.
ASI02
Tool Misuse and Exploitation
Fraud detection is fully bypassable via the fraud_detection_enabled flag and is never enforced before approval, contradicting the remit's must-always / must-never rules.
Invoices above manual_review_threshold can be auto-approved with no human sign-off, via both the LLM path and the fallback business-context overrides.
ASI03
Identity and Privilege Abuse
ASI04
Agentic Supply Chain Vulnerabilities
No findings
ASI05
Unexpected Code Execution (RCE)
No findings
ASI06
Memory and Context Poisoning
No findings
ASI07
Insecure Inter-Agent Communication
No findings
ASI08
Cascading Failures
No findings
ASI09
Human-Agent Trust Exploitation
No findings
ASI10
Rogue Agents
No findings
RAISE Maturity Posture
Overall maturity assessment across the six categories of the RAISE framework. This is a maturity model, not a school grade: a score of 3 / 5 means Established, not 60 percent. Most production AI agents today score between Ad hoc (1) and Established (3). See the full RAISE framework reference for the complete scale and scoring.
0.60
/ 5.0
Weighted Maturity Score · Absent
Ad hoc. FinBot has the shape of an invoice-approval agent but almost no operative security substance: domain limits, fraud gating, and goal integrity all live in a natural-language system prompt that the prompt itself undercuts, while the admin surface that controls thresholds and goals is fully unauthenticated. The only category with genuine credit is the persisted decision record; Zero Trust — the heaviest-weighted category and the one covering the approve/pay decision — scores zero because no code interposes on the agent's high-impact actions, and Monitor scores zero for the absence of any action log. This is consistent with a deliberately-vulnerable CTF target, but the gaps are real and exploitable as written.
Limit Your Domain
1/ 5
Scope is asserted only in get_system_prompt text that prioritizes speed/business continuity over security (finbot_agent.py:40-47, 81); no code gate constrains the agent to its authorized decision space (PRAX-010).
Balance Your Knowledge Base
1/ 5
Vendor-controlled invoice descriptions enter the LLM context unsanitized (finbot_agent.py:394) and unauthenticated read endpoints expose vendor banking PII (vendor.py:63); the only filter is a non-blocking regex flag (PRAX-003, PRAX-015).
Implement Zero Trust
0/ 5
No code-level interposition on the agent's high-impact actions: _approve_invoice sets payment_processed=True with no amount, fraud, or vendor-status check (finbot_agent.py:415-416), every /admin/* route is unauthenticated, and fraud detection is a flag away from off (PRAX-001/002/004/005/006).
Manage Your Supply Chain
1/ 5
A hardcoded Flask SECRET_KEY (main.py:15) sits beside floor-ranged, unpinned dependencies and a bare model literal with no SBOM (requirements.txt; finbot_agent.py:17) (PRAX-011, PRAX-012).
Build an AI Red Team
1/ 5
No test suite or red-team artifact drives fixes; the only security document is a CTF walkthrough that demonstrates the goal-manipulation weakness rather than remediating it (docs/FinBot-CTF-walkthrough-goal-manipulation.md) (PRAX-014).
Monitor Continuously
0/ 5
No logging framework anywhere; high-impact actions and config/goal mutations leave only mutable DB columns and a few print() calls, so the exploit chain is undetectable after the fact (PRAX-009).
Maturity Scoring Rubric
Every score above is based on this scale. A score is a snapshot of observable posture — not a verdict on the people or team behind the system.
| Score | Label | Meaning |
|---|---|---|
| 5 | Exemplary | Best-in-class; automated, continuously tested, reference quality. Rarely achieved in shipping systems. |
| 4 | Strong | Comprehensive controls, active management, minor gaps. Production-ready. |
| 3 | Established | Documented controls consistently applied; known gaps accepted. A respectable baseline. |
| 2 | Partial | Some controls exist but coverage is incomplete; key gaps remain. |
| 1 | Ad hoc | Informal or inconsistent measures; relies on individual judgment. |
| 0 | Absent | No evidence this category is addressed at all. |
Weighting: the weighted overall above is the sum of each category's score × weight (the per-category weights are shown on each card). Zero Trust carries double weight by design; see the RAISE framework reference for the rationale.