owasp-llm-top-10
Original:🇺🇸 English
Translated
OWASP Top 10 for LLM Applications - prevention, detection, and remediation for LLM and GenAI security. Use when building or reviewing LLM apps - prompt injection, information disclosure, training/supply chain, poisoning, output handling, excessive agency, system prompt leakage, vectors/embeddings, misinformation, unbounded consumption.
5installs
Sourceyariv1025/skills
Added on
NPX Install
npx skill4agent add yariv1025/skills owasp-llm-top-10Tags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →OWASP Top 10 for LLM Applications
This skill encodes the OWASP Top 10 for Large Language Model Applications for secure LLM/GenAI design and review. References are loaded per risk. Based on OWASP Top 10 for LLM Applications 2025.
When to Read Which Reference
| Risk | Read |
|---|---|
| LLM01 Prompt Injection | references/llm01-prompt-injection.md |
| LLM02 Sensitive Information Disclosure | references/llm02-sensitive-information-disclosure.md |
| LLM03 Training Data & Supply Chain | references/llm03-training-data-supply-chain.md |
| LLM04 Data and Model Poisoning | references/llm04-data-model-poisoning.md |
| LLM05 Improper Output Handling | references/llm05-improper-output-handling.md |
| LLM06 Excessive Agency | references/llm06-excessive-agency.md |
| LLM07 System Prompt Leakage | references/llm07-system-prompt-leakage.md |
| LLM08 Vector and Embedding Weaknesses | references/llm08-vector-embedding-weaknesses.md |
| LLM09 Misinformation | references/llm09-misinformation.md |
| LLM10 Unbounded Consumption | references/llm10-unbounded-consumption.md |
Quick Patterns
- Treat all user and external input as untrusted; validate and sanitize LLM outputs before use (XSS, SSRF, RCE). Limit agency and tool use; protect system prompts and RAG data. Apply rate limits and cost controls.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Prevent prompt injection | Use delimiters, validate input, separate system/user context. See LLM01. |
| Protect sensitive data | Filter PII from training/prompts, apply output guards. See LLM02. |
| Validate LLM output | Sanitize before rendering (XSS) or executing (RCE). See LLM05. |
| Limit agency | Require human approval for destructive actions; scope tool permissions. See LLM06. |
| Control costs | Apply token limits, rate limiting, and budget caps. See LLM10. |
Safe - delimiter and input validation:
python
system_prompt = """You are a helpful assistant.
<user_input>
{sanitized_user_input}
</user_input>
Answer based only on the user input above."""Unsafe - direct concatenation (injection risk):
python
prompt = f"Answer this question: {user_input}" # User can inject instructionsOutput sanitization before rendering:
python
import html
safe_output = html.escape(llm_response) # Prevent XSS if rendering in browserWorkflow
Load the reference for the risk you are addressing. See OWASP Top 10 for LLM Applications and genai.owasp.org for the official list.