Back to Details

agent-owasp-compliance

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Agent OWASP ASI Compliance Check

Agent OWASP ASI合规检查

Evaluate AI agent systems against the OWASP Agentic Security Initiative (ASI) Top 10 — the industry standard for agent security posture.
对照OWASP Agentic Security Initiative (ASI) 十大风险(agent安全态势的行业标准)评估AI agent系统。

Overview

概述

The OWASP ASI Top 10 defines the critical security risks specific to autonomous AI agents — not LLMs, not chatbots, but agents that call tools, access systems, and act on behalf of users. This skill checks whether your agent implementation addresses each risk.
Codebase → Scan for each ASI control:
  ASI-01: Prompt Injection Protection
  ASI-02: Tool Use Governance
  ASI-03: Agency Boundaries
  ASI-04: Escalation Controls
  ASI-05: Trust Boundary Enforcement
  ASI-06: Logging & Audit
  ASI-07: Identity Management
  ASI-08: Policy Integrity
  ASI-09: Supply Chain Verification
  ASI-10: Behavioral Monitoring
→ Generate Compliance Report (X/10 covered)
OWASP ASI 十大风险定义了自主AI agent特有的关键安全风险——并非针对LLM、聊天机器人,而是面向可调用工具、访问系统、代表用户执行操作的agent。本技能会检查你的agent实现是否覆盖了每一项风险的防控要求。
Codebase → Scan for each ASI control:
  ASI-01: Prompt Injection Protection
  ASI-02: Tool Use Governance
  ASI-03: Agency Boundaries
  ASI-04: Escalation Controls
  ASI-05: Trust Boundary Enforcement
  ASI-06: Logging & Audit
  ASI-07: Identity Management
  ASI-08: Policy Integrity
  ASI-09: Supply Chain Verification
  ASI-10: Behavioral Monitoring
→ Generate Compliance Report (X/10 covered)

The 10 Risks

十大风险

RiskNameWhat to Look For
ASI-01Prompt InjectionInput validation before tool calls, not just LLM output filtering
ASI-02Insecure Tool UseTool allowlists, argument validation, no raw shell execution
ASI-03Excessive AgencyCapability boundaries, scope limits, principle of least privilege
ASI-04Unauthorized EscalationPrivilege checks before sensitive operations, no self-promotion
ASI-05Trust Boundary ViolationTrust verification between agents, signed credentials, no blind trust
ASI-06Insufficient LoggingStructured audit trail for all tool calls, tamper-evident logs
ASI-07Insecure IdentityCryptographic agent identity, not just string names
ASI-08Policy BypassDeterministic policy enforcement, no LLM-based permission checks
ASI-09Supply Chain IntegritySigned plugins/tools, integrity verification, dependency auditing
ASI-10Behavioral AnomalyDrift detection, circuit breakers, kill switch capability
风险ID风险名称检查要点
ASI-01提示词注入工具调用前的输入校验,而非仅LLM输出过滤
ASI-02不安全工具调用工具白名单、参数校验,无原生shell执行权限
ASI-03权限过度授予能力边界、作用域限制,遵循最小权限原则
ASI-04未授权权限提升敏感操作前的权限校验,无自我提权能力
ASI-05信任边界违规agent间的信任校验、签名凭证,无盲目信任
ASI-06日志能力不足全工具调用的结构化审计链路,防篡改日志
ASI-07身份认证不安全agent加密身份标识,而非仅字符串名称
ASI-08策略绕过风险确定性策略执行,无基于LLM的权限校验
ASI-09供应链完整性风险插件/工具签名、完整性校验、依赖审计
ASI-10行为异常风险漂移检测、熔断机制、紧急停止能力

Check ASI-01: Prompt Injection Protection

检查项ASI-01:提示词注入防护

Look for input validation that runs before tool execution, not after LLM generation.
python
import re
from pathlib import Path

def check_asi_01(project_path: str) -> dict:
    """ASI-01: Is user input validated before reaching tool execution?"""
    positive_patterns = [
        "input_validation", "validate_input", "sanitize",
        "classify_intent", "prompt_injection", "threat_detect",
        "PolicyEvaluator", "PolicyEngine", "check_content",
    ]
    negative_patterns = [
        r"eval\(", r"exec\(", r"subprocess\.run\(.*shell=True",
        r"os\.system\(",
    ]

    # Scan Python files for signals
    root = Path(project_path)
    positive_matches = []
    negative_matches = []

    for py_file in root.rglob("*.py"):
        content = py_file.read_text(errors="ignore")
        for pattern in positive_patterns:
            if pattern in content:
                positive_matches.append(f"{py_file.name}: {pattern}")
        for pattern in negative_patterns:
            if re.search(pattern, content):
                negative_matches.append(f"{py_file.name}: {pattern}")

    positive_found = len(positive_matches) > 0
    negative_found = len(negative_matches) > 0

    return {
        "risk": "ASI-01",
        "name": "Prompt Injection",
        "status": "pass" if positive_found and not negative_found else "fail",
        "controls_found": positive_matches,
        "vulnerabilities": negative_matches,
        "recommendation": "Add input validation before tool execution, not just output filtering"
    }
What passing looks like:
python
undefined
需要检查是否在工具执行前运行输入校验,而非仅在LLM生成输出后校验。
python
import re
from pathlib import Path

def check_asi_01(project_path: str) -> dict:
    """ASI-01: Is user input validated before reaching tool execution?"""
    positive_patterns = [
        "input_validation", "validate_input", "sanitize",
        "classify_intent", "prompt_injection", "threat_detect",
        "PolicyEvaluator", "PolicyEngine", "check_content",
    ]
    negative_patterns = [
        r"eval\(", r"exec\(", r"subprocess\.run\(.*shell=True",
        r"os\.system\(",
    ]

    # Scan Python files for signals
    root = Path(project_path)
    positive_matches = []
    negative_matches = []

    for py_file in root.rglob("*.py"):
        content = py_file.read_text(errors="ignore")
        for pattern in positive_patterns:
            if pattern in content:
                positive_matches.append(f"{py_file.name}: {pattern}")
        for pattern in negative_patterns:
            if re.search(pattern, content):
                negative_matches.append(f"{py_file.name}: {pattern}")

    positive_found = len(positive_matches) > 0
    negative_found = len(negative_matches) > 0

    return {
        "risk": "ASI-01",
        "name": "Prompt Injection",
        "status": "pass" if positive_found and not negative_found else "fail",
        "controls_found": positive_matches,
        "vulnerabilities": negative_matches,
        "recommendation": "Add input validation before tool execution, not just output filtering"
    }
通过示例:
python
undefined

GOOD: Validate before tool execution

正确:工具执行前先校验

result = policy_engine.evaluate(user_input) if result.action == "deny": return "Request blocked by policy" tool_result = await execute_tool(validated_input)

**What failing looks like:**
```python
result = policy_engine.evaluate(user_input) if result.action == "deny": return "Request blocked by policy" tool_result = await execute_tool(validated_input)

**不通过示例:**
```python

BAD: User input goes directly to tool

错误:用户输入直接传入工具

tool_result = await execute_tool(user_input) # No validation

---
tool_result = await execute_tool(user_input) # 无校验步骤

---

Check ASI-02: Insecure Tool Use

检查项ASI-02:不安全工具调用

Verify tools have allowlists, argument validation, and no unrestricted execution.
What to search for:
  • Tool registration with explicit allowlists (not open-ended)
  • Argument validation before tool execution
  • No 
    subprocess.run(shell=True)
    with user-controlled input
  • No 
    eval()
    or 
    exec()
    on agent-generated code without sandbox
Passing example:
python
ALLOWED_TOOLS = {"search", "read_file", "create_ticket"}

def execute_tool(name: str, args: dict):
    if name not in ALLOWED_TOOLS:
        raise PermissionError(f"Tool '{name}' not in allowlist")
    # validate args...
    return tools[name](**validated_args)
校验工具是否配置白名单、参数校验,无不受限的执行权限。
检查要点:
  • 工具注册使用明确的白名单(而非开放调用)
  • 工具执行前的参数校验
  • 不存在用户可控输入的
    subprocess.run(shell=True)
    调用
  • 无沙箱的agent生成代码不存在
    eval()
    exec()
    调用
通过示例:
python
ALLOWED_TOOLS = {"search", "read_file", "create_ticket"}

def execute_tool(name: str, args: dict):
    if name not in ALLOWED_TOOLS:
        raise PermissionError(f"Tool '{name}' not in allowlist")
    # validate args...
    return tools[name](**validated_args)

Check ASI-03: Excessive Agency

检查项ASI-03:权限过度授予

Verify agent capabilities are bounded — not open-ended.
What to search for:
  • Explicit capability lists or execution rings
  • Scope limits on what the agent can access
  • Principle of least privilege applied to tool access
Failing: Agent has access to all tools by default. Passing: Agent capabilities defined as a fixed allowlist, unknown tools denied.
校验agent能力是否有明确边界,而非开放无限制。
检查要点:
  • 明确的能力列表或执行环限制
  • agent可访问资源的作用域限制
  • 工具访问遵循最小权限原则
不通过: agent默认拥有所有工具的访问权限。 通过: agent能力定义为固定白名单,未知工具直接拒绝访问。

Check ASI-04: Unauthorized Escalation

检查项ASI-04:未授权权限提升

Verify agents cannot promote their own privileges.
What to search for:
  • Privilege level checks before sensitive operations
  • No self-promotion patterns (agent changing its own trust score or role)
  • Escalation requires external attestation (human or SRE witness)
Failing: Agent can modify its own configuration or permissions. Passing: Privilege changes require out-of-band approval (e.g., Ring 0 requires SRE attestation).
校验agent无法自行提升权限。
检查要点:
  • 敏感操作前的权限等级校验
  • 无自我提权逻辑(agent修改自身信任分或角色)
  • 权限提升需要外部认证(人工或SRE见证)
不通过: agent可修改自身配置或权限。 通过: 权限变更需要带外审批(例如0环权限需要SRE认证)。

Check ASI-05: Trust Boundary Violation

检查项ASI-05:信任边界违规

In multi-agent systems, verify that agents verify each other's identity before accepting instructions.
What to search for:
  • Agent identity verification (DIDs, signed tokens, API keys)
  • Trust score checks before accepting delegated tasks
  • No blind trust of inter-agent messages
  • Delegation narrowing (child scope <= parent scope)
Passing example:
python
def accept_task(sender_id: str, task: dict):
    trust = trust_registry.get_trust(sender_id)
    if not trust.meets_threshold(0.7):
        raise PermissionError(f"Agent {sender_id} trust too low: {trust.current()}")
    if not verify_signature(task, sender_id):
        raise SecurityError("Task signature verification failed")
    return process_task(task)
在多agent系统中,校验agent在接收指令前会验证对方身份。
检查要点:
  • agent身份校验(DID、签名令牌、API密钥)
  • 接收委托任务前的信任分校验
  • 无agent间消息的盲目信任
  • 委托范围收缩(子任务作用域 ≤ 父任务作用域)
通过示例:
python
def accept_task(sender_id: str, task: dict):
    trust = trust_registry.get_trust(sender_id)
    if not trust.meets_threshold(0.7):
        raise PermissionError(f"Agent {sender_id} trust too low: {trust.current()}")
    if not verify_signature(task, sender_id):
        raise SecurityError("Task signature verification failed")
    return process_task(task)

Check ASI-06: Insufficient Logging

检查项ASI-06:日志能力不足

Verify all agent actions produce structured, tamper-evident audit entries.
What to search for:
  • Structured logging for every tool call (not just print statements)
  • Audit entries include: timestamp, agent ID, tool name, args, result, policy decision
  • Append-only or hash-chained log format
  • Logs stored separately from agent-writable directories
Failing: Agent actions logged via 
print()
or not logged at all. Passing: Structured JSONL audit trail with chain hashes, exported to secure storage.
校验所有agent操作都会生成结构化、防篡改的审计条目。
检查要点:
  • 每一次工具调用都有结构化日志(而非仅print语句)
  • 审计条目包含:时间戳、agent ID、工具名称、参数、执行结果、策略决策
  • 仅追加或哈希链式日志格式
  • 日志存储在agent可写目录之外的独立位置
不通过: agent操作通过
print()
记录或完全无日志。 通过: 带链式哈希的结构化JSONL审计链路,导出到安全存储。

Check ASI-07: Insecure Identity

检查项ASI-07:身份认证不安全

Verify agents have cryptographic identity, not just string names.
Failing indicators:
  • Agent identified by 
    agent_name = "my-agent"
    (string only)
  • No authentication between agents
  • Shared credentials across agents
Passing indicators:
  • DID-based identity (
    did:web:
    , 
    did:key:
    )
  • Ed25519 or similar cryptographic signing
  • Per-agent credentials with rotation
  • Identity bound to specific capabilities
校验agent拥有加密身份标识,而非仅字符串名称。
不通过特征:
  • agent仅通过
    agent_name = "my-agent"
    字符串标识
  • agent间无身份认证
  • 多agent共享凭证
通过特征:
  • 基于DID的身份(
    did:web:
    did:key:
  • Ed25519或同类加密签名
  • 单agent独立凭证支持轮换
  • 身份与特定能力绑定

Check ASI-08: Policy Bypass

检查项ASI-08:策略绕过风险

Verify policy enforcement is deterministic — not LLM-based.
What to search for:
  • Policy evaluation uses deterministic logic (YAML rules, code predicates)
  • No LLM calls in the enforcement path
  • Policy checks cannot be skipped or overridden by the agent
  • Fail-closed behavior (if policy check errors, action is denied)
Failing: Agent decides its own permissions via prompt ("Am I allowed to...?"). Passing: PolicyEvaluator.evaluate() returns allow/deny in <0.1ms, no LLM involved.
校验策略执行是确定性的,而非基于LLM。
检查要点:
  • 策略评估使用确定性逻辑(YAML规则、代码谓词)
  • 执行路径中无LLM调用
  • agent无法跳过或覆盖策略校验
  • 故障关闭机制(若策略校验出错,直接拒绝操作)
不通过: agent通过prompt自行判定权限(「我是否允许...?」)。 通过: PolicyEvaluator.evaluate() 在0.1ms内返回允许/拒绝结果,无LLM参与。

Check ASI-09: Supply Chain Integrity

检查项ASI-09:供应链完整性风险

Verify agent plugins and tools have integrity verification.
What to search for:
  • INTEGRITY.json
    or manifest files with SHA-256 hashes
  • Signature verification on plugin installation
  • Dependency pinning (no 
    @latest
    , 
    >=
    without upper bound)
  • SBOM generation
校验agent插件和工具都有完整性校验。
检查要点:
  • 带SHA-256哈希的
    INTEGRITY.json
    或清单文件
  • 插件安装时的签名校验
  • 依赖版本锁定(无
    @latest
    、无上限的
    >=
    版本)
  • SBOM生成能力

Check ASI-10: Behavioral Anomaly

检查项ASI-10:行为异常风险

Verify the system can detect and respond to agent behavioral drift.
What to search for:
  • Circuit breakers that trip on repeated failures
  • Trust score decay over time (temporal decay)
  • Kill switch or emergency stop capability
  • Anomaly detection on tool call patterns (frequency, targets, timing)
Failing: No mechanism to stop a misbehaving agent automatically. Passing: Circuit breaker trips after N failures, trust decays without activity, kill switch available.
校验系统可检测并响应agent行为漂移。
检查要点:
  • 重复失败时触发的熔断机制
  • 信任分随时间衰减(时间维度衰减)
  • 紧急停止或kill switch能力
  • 工具调用模式的异常检测(频率、目标、时序)
不通过: 无自动终止异常agent的机制。 通过: 失败N次后熔断触发、无活动时信任分自动衰减、支持紧急停止。

Compliance Report Format

合规报告格式

markdown
undefined
markdown
undefined

OWASP ASI Compliance Report

OWASP ASI合规报告

Generated: 2026-04-01 Project: my-agent-system
生成时间: 2026-04-01 项目: my-agent-system

Summary: 7/10 Controls Covered

概览:覆盖7/10项控制要求

RiskStatusFinding
ASI-01 Prompt InjectionPASSPolicyEngine validates input before tool calls
ASI-02 Insecure Tool UsePASSTool allowlist enforced in governance.py
ASI-03 Excessive AgencyPASSExecution rings limit capabilities
ASI-04 Unauthorized EscalationPASSRing promotion requires attestation
ASI-05 Trust BoundaryFAILNo identity verification between agents
ASI-06 Insufficient LoggingPASSAuditChain with SHA-256 chain hashes
ASI-07 Insecure IdentityFAILAgents use string names, no crypto identity
ASI-08 Policy BypassPASSDeterministic PolicyEvaluator, no LLM in path
ASI-09 Supply ChainFAILNo integrity manifests or plugin signing
ASI-10 Behavioral AnomalyPASSCircuit breakers and trust decay active
风险项状态检查结果
ASI-01 提示词注入通过PolicyEngine在工具调用前校验输入
ASI-02 不安全工具调用通过governance.py中强制执行工具白名单
ASI-03 权限过度授予通过执行环限制能力范围
ASI-04 未授权权限提升通过环提升需要认证
ASI-05 信任边界不通过agent间无身份校验
ASI-06 日志能力不足通过带SHA-256链式哈希的审计链
ASI-07 身份认证不安全不通过agent使用字符串名称,无加密身份
ASI-08 策略绕过通过确定性PolicyEvaluator,路径无LLM
ASI-09 供应链完整性不通过无完整性清单或插件签名
ASI-10 行为异常通过熔断机制和信任分衰减已启用

Critical Gaps

关键缺口

  • ASI-05: Add agent identity verification using DIDs or signed tokens
  • ASI-07: Replace string agent names with cryptographic identity
  • ASI-09: Generate INTEGRITY.json manifests for all plugins
  • ASI-05:使用DID或签名令牌添加agent身份校验
  • ASI-07:将字符串agent名称替换为加密身份
  • ASI-09:为所有插件生成INTEGRITY.json清单

Recommendation

建议

Install agent-governance-toolkit for reference implementations of all 10 controls: pip install agent-governance-toolkit

---
安装agent-governance-toolkit获取所有10项控制的参考实现: pip install agent-governance-toolkit

---

Quick Assessment Questions

快速评估问题

Use these to rapidly assess an agent system:
  1. Does user input pass through validation before reaching any tool? (ASI-01)
  2. Is there an explicit list of what tools the agent can call? (ASI-02)
  3. Can the agent do anything, or are its capabilities bounded? (ASI-03)
  4. Can the agent promote its own privileges? (ASI-04)
  5. Do agents verify each other's identity before accepting tasks? (ASI-05)
  6. Is every tool call logged with enough detail to replay it? (ASI-06)
  7. Does each agent have a unique cryptographic identity? (ASI-07)
  8. Is policy enforcement deterministic (not LLM-based)? (ASI-08)
  9. Are plugins/tools integrity-verified before use? (ASI-09)
  10. Is there a circuit breaker or kill switch? (ASI-10)
If you answer "no" to any of these, that's a gap to address.
使用以下问题快速评估agent系统:
  1. 用户输入在进入任意工具前是否经过校验?(ASI-01)
  2. 是否有明确的agent可调用工具列表?(ASI-02)
  3. agent能力是无限制的还是有明确边界?(ASI-03)
  4. agent能否自行提升权限?(ASI-04)
  5. agent接收任务前是否校验对方身份?(ASI-05)
  6. 每一次工具调用是否都有足够细节的日志支持回溯?(ASI-06)
  7. 每个agent是否有唯一的加密身份标识?(ASI-07)
  8. 策略执行是否是确定性的(非基于LLM)?(ASI-08)
  9. 插件/工具使用前是否经过完整性校验?(ASI-09)
  10. 是否有熔断或紧急停止机制?(ASI-10)
如果任意问题回答「否」,则存在需要修复的安全缺口。

Related Resources

相关资源