LLM ↓
ASI →
ASI01ASI01 — Agent Goal Hijack
ASI02ASI02 — Tool Misuse and Exploitation
ASI03ASI03 — Identity and Privilege Abuse
ASI04ASI04 — Agentic Supply Chain Vulnerabilities
ASI05ASI05 — Unexpected Code Execution (RCE)
ASI06ASI06 — Memory and Context Poisoning
ASI07ASI07 — Insecure Inter-Agent Communication
ASI08ASI08 — Cascading Failures
ASI09ASI09 — Human-Agent Trust Exploitation
ASI10ASI10 — Rogue Agents
LLM01LLM01 — Prompt Injection
8LLM01 × ASI01 — 8 findings- FinBot — Untrusted vendor invoice text flows into the LLM context and drives an uncondition
- FinBot — Runtime goal injection — custom_goals is stored unvalidated and spliced into the s
- FinBot — Vendor-supplied invoice description enters the LLM context unvalidated, providing
- HelperBot — HelperBot obeys injected "ignore previous instructions" directives instead of decl
- HelperBot — HelperBot accepts fabricated conversation history and role claims, proceeding on "
- Airline Customer Service Agent (multi-agent) — No input or output guardrails are wired, so untrusted customer free-text and tool
- Aider — Untrusted content (scraped pages, AI!/AI? comments, git history) enters LLM contex
- +1 more
1LLM01 × ASI02 — 1 finding- HAA Help Agent — The knowledge action's grounding and citation parameters are marked is_user_input,
2LLM01 × ASI03 — 2 findings- HelperBot — HelperBot accepts fabricated conversation history and role claims, proceeding on "
- CraftBot — Inbound messaging defaults to auto_reply=true with no sender-identity check, so an
2LLM01 × ASI05 — 2 findings- CraftBot — Untrusted external content reaches the LLM context unsanitized and the model's out
- CraftBot — Writable system-prompt identity file (SOUL.md) and auto-written MEMORY.md plus the
2LLM01 × ASI06 — 2 findings- FinBot — Runtime goal injection — custom_goals is stored unvalidated and spliced into the s
- CraftBot — Writable system-prompt identity file (SOUL.md) and auto-written MEMORY.md plus the
1LLM01 × ASI09 — 1 finding- CraftBot — Inbound messaging defaults to auto_reply=true with no sender-identity check, so an
2LLM01 × ASI10 — 2 findings- FinBot — Runtime goal injection — custom_goals is stored unvalidated and spliced into the s
- CraftBot — Writable system-prompt identity file (SOUL.md) and auto-written MEMORY.md plus the
LLM02LLM02 — Sensitive Information Disclosure
4LLM02 × ASI03 — 4 findings- AutoGen Code Executor — LocalCommandLineCodeExecutor passes the parent process's full environment to execu
- OpenHands (Autonomous Software-Engineering Agent) — OSS defaults compose into an unauthenticated, cross-origin read of plaintext-at-re
- CraftBot — Operator secrets are stored as plaintext JSON at rest — integration tokens in .cre
- uAgents Framework Runtime — Name-based agents persist identity and wallet private keys to plaintext private_ke
1LLM02 × ASI05 — 1 finding- yaah (Yet Another Agent Harness) — On Codex, the command guard and secret scanner ship only as advisory model-callabl
1LLM02 × ASI07 — 1 finding- Deep Agents CLI (deepagents-cli) — Remote MCP server URLs are never validated as TLS — `mcp-servers add`/`update` and
LLM03LLM03 — Supply Chain
4LLM03 × ASI04 — 4 findings- AutoGen Code Executor — The default Docker execution image python:3-slim is a floating tag with no digest
- Aider — Self-upgrade path installs unpinned code directly from the aider git main branch,
- yaah (Yet Another Agent Harness) — Default third-party MCP server `context7` is fetched unpinned via `npx -y @context
- CraftBot — Third-party MCP servers and imported code run without isolation or provenance vett
LLM04LLM04 — Data and Model Poisoning
1LLM04 × ASI06 — 1 finding- Hermes Agent (with Hermes Desktop) — Writable, session-loaded memory and agent-created skills are an ASI06 persistence
LLM05LLM05 — Improper Output Handling
1LLM05 × ASI02 — 1 finding- Aider — No code-level repository-root confinement on writes; absolute or ../ edit paths es
9LLM05 × ASI05 — 9 findings- AutoGen Code Executor — create_default_code_executor silently downgrades to unisolated host execution with
- AutoGen Code Executor — approval_func defaults to None, so all LLM-generated code is auto-executed with no
- AutoGen Code Executor — LocalCommandLineCodeExecutor docstring claims dangerous-command sanitization that
- yaah (Yet Another Agent Harness) — Command guard blocks `rm -rf /` but not flag-order, long-form, or equivalent catas
- Hermes Agent (with Hermes Desktop) — Dangerous shell commands auto-approve (fail open) in a headless non-interactive co
- Hermes Agent (with Hermes Desktop) — Dangerous-command approval relies on a regex denylist that is structurally incompl
- Hermes Agent (with Hermes Desktop) — The default terminal backend runs LLM-emitted commands directly on the host, so sa
- +2 more
LLM06LLM06 — Excessive Agency
1LLM06 × ASI01 — 1 finding- FinBot — Untrusted vendor invoice text flows into the LLM context and drives an uncondition
8LLM06 × ASI02 — 8 findings- FinBot — Approval requirements — manual-review threshold, fraud-risk routing, fraud-ran pre
- FinBot — The fallback rule engine explicitly auto-approves above-threshold and injection-fl
- HelperBot — read_file/write_file/search_web are advertised to the model but unimplemented on t
- Airline Customer Service Agent (multi-agent) — The only runtime precondition on the seat mutation is a Python assert, which is st
- Aider — No code-level repository-root confinement on writes; absolute or ../ edit paths es
- Aider — --yes-always silently auto-approves package installs, Playwright install, and self
- OpenHands (Autonomous Software-Engineering Agent) — Human-approval gates for merge, force-push, and cross-repo writes are inert unless
- +1 more
2LLM06 × ASI03 — 2 findings- FinBot — The agent never verifies vendor registered-and-approved status before approving, a
- Airline Customer Service Agent (multi-agent) — update_seat mutates reservation state with no identity or confirmation-number veri
13LLM06 × ASI05 — 13 findings- AutoGen Code Executor — create_default_code_executor silently downgrades to unisolated host execution with
- AutoGen Code Executor — approval_func defaults to None, so all LLM-generated code is auto-executed with no
- AutoGen Code Executor — DockerCommandLineCodeExecutor creates containers with default networking and expos
- AutoGen Code Executor — extra_volumes and device_requests are accepted and applied with no gate or warning
- AutoGen Code Executor — Working-directory confinement is enforced only for the optional # filename: header
- Aider — --yes-always silently auto-approves package installs, Playwright install, and self
- yaah (Yet Another Agent Harness) — On Codex, the command guard and secret scanner ship only as advisory model-callabl
- +6 more
1LLM06 × ASI06 — 1 finding- CraftBot — The agent can rewrite its own identity/policy files (SOUL.md, AGENT.md, USER.md) a
3LLM06 × ASI10 — 3 findings- FinBot — Fraud detection can be disabled via a config flag, after which detection returns e
- OpenHands (Autonomous Software-Engineering Agent) — Human-approval gates for merge, force-push, and cross-repo writes are inert unless
- CraftBot — The agent can rewrite its own identity/policy files (SOUL.md, AGENT.md, USER.md) a
LLM07LLM07 — System Prompt Leakage
LLM08LLM08 — Vector and Embedding Weaknesses
LLM09LLM09 — Misinformation
LLM10LLM10 — Unbounded Consumption