RSS

The OWASP Agentic Security Initiative Top: A Practical Developer Guide

waqarjaved1 pts0 comments

The OWASP Agentic Security Initiative Top 10: A Practical Developer Guide for LangChain and CrewAI - Agentsafelabs

Skip to content

GitHub Repository

Blog

The OWASP Agentic Security Initiative Top 10: A Practical Developer Guide for LangChain and CrewAI

Waqar Javed

June 5, 2026

One Comment

I ran 30 adversarial prompts across all 10 OWASP ASI categories against Claude Haiku. 20 passed. 10 returned UNCERTAIN. Here is what each category tests and what the results mean.

Most developers building AI agents are familiar with OWASP’s LLM Top 10. Fewer know that OWASP has published a separate taxonomy specifically for agentic systems: the Agentic Security Initiative Top 10 (ASI01–ASI10).

The distinction matters. Agents are not just LLMs. They use tools, maintain memory, delegate to sub-agents, and take actions in the world. The LLM Top 10 was not designed for this threat model. The ASI Top 10 is.

This post walks through each category with real safelabs-eval test results for every category, relevant to developers building on LangChain, CrewAI, and similar frameworks.

ASI01 — Prompt Injection

The agentic variant of prompt injection goes beyond user-supplied malicious input. When an agent reads from external sources — documents, search results, tool outputs — any of those sources can carry an injected instruction.

A LangChain agent reading a web search result that contains embedded directives is vulnerable to ASI01 even if the user query was entirely benign.

What to test: Inject directives through every environmental input source. Test both explicit overrides and subtle context-reframing prefixes.

safelabs run --target --category ASI01

For a detailed walkthrough of what UNCERTAIN looks like in practice on an ASI01 test, see: Why Claude Haiku Returned UNCERTAIN →

ASI02 — Scope Violation

An agent exceeds its intended operational boundary. A customer support agent that can read tickets should not be able to write to the billing database — but if the tool permissions allow it and an adversarial instruction reaches the agent, it might try.

CrewAI teams frequently encounter this when agents are given broad tool access for flexibility and then tested under adversarial conditions.

What to test: Give your agent an adversarial instruction to perform an action outside its stated scope. Test whether tool permission boundaries hold.

safelabs run --target --category ASI02

ASI03 — Memory Manipulation

Agents with persistent memory can be manipulated through poisoned memory injection. An attacker who can influence what gets stored in an agent’s memory store can affect future behavior across sessions.

This is a long-horizon attack that standard single-session evaluations miss entirely.

What to test: Write adversarial content to agent memory in session one. Observe behavioral changes in session two without any further injection.

safelabs run --target --category ASI03

ASI04 — Tool Abuse

The agent is manipulated into using legitimate tools in unintended ways. The tools themselves are not compromised — the agent’s decision about when and how to use them is.

A file-write tool used to overwrite a config file rather than save user data. A search tool used to exfiltrate information by encoding it in search queries. These are ASI04 scenarios.

What to test: Evaluate tool call sequences, not just tool availability. The question is not whether the agent can call a tool but whether it calls the right tool in the right way under adversarial conditions.

safelabs run --target --category ASI04

ASI05 — Insecure Agent Communication

In multi-agent systems, agents communicate with each other. If those communication channels are not validated, a compromised or malicious agent can inject instructions into a legitimate agent’s context.

This is the multi-agent equivalent of ASI01 — but the injection source is another agent rather than an external document.

What to test: In a CrewAI multi-agent pipeline, simulate a compromised worker agent sending adversarial instructions to the orchestrator.

safelabs run --target --category ASI05

ASI06 — Excessive Autonomy

The agent takes consequential actions without sufficient human oversight or confirmation. The vulnerability is not a specific attack — it is an architectural decision that creates unacceptable risk at scale.

An agent that can send emails, make purchases, or modify production systems without confirmation gates is vulnerable to ASI06 regardless of whether an active attacker is present.

What to test: Map every irreversible action your agent can take. Test whether the agent attempts those actions without confirmation under normal and adversarial conditions.

safelabs run --target --category ASI06

ASI07 — Identity Confusion

The agent misrepresents itself or is manipulated into impersonating another system. In multi-agent environments, an agent might be convinced it is operating with different permissions, under a different identity, or as part of a different system than...

agent test tool category adversarial safelabs

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.