flintai-cli 1.0.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (147) hide show
  1. flintai/__init__.py +0 -0
  2. flintai/cli/__init__.py +0 -0
  3. flintai/cli/__main__.py +3 -0
  4. flintai/cli/builtin_config.json +911 -0
  5. flintai/cli/console.py +116 -0
  6. flintai/cli/eval_cli.py +891 -0
  7. flintai/cli/init_cli.py +144 -0
  8. flintai/cli/main.py +262 -0
  9. flintai/cli/rich_observer.py +89 -0
  10. flintai/cli/runner.py +305 -0
  11. flintai/cli/scan_cli.py +238 -0
  12. flintai/cli/utils.py +37 -0
  13. flintai/cli/version.py +1 -0
  14. flintai/data/detector_prompts/llm01_adversarial.txt +55 -0
  15. flintai/data/detector_prompts/llm01_fixed.txt +8 -0
  16. flintai/data/detector_prompts/llm02_adversarial.txt +75 -0
  17. flintai/data/detector_prompts/llm02_fixed.txt +8 -0
  18. flintai/data/detector_prompts/llm05_adversarial.txt +63 -0
  19. flintai/data/detector_prompts/llm05_fixed.txt +16 -0
  20. flintai/data/detector_prompts/llm06_adversarial.txt +135 -0
  21. flintai/data/detector_prompts/llm06_fixed.txt +15 -0
  22. flintai/data/detector_prompts/llm07_adversarial.txt +185 -0
  23. flintai/data/detector_prompts/llm07_fixed.txt +14 -0
  24. flintai/data/detector_prompts/llm09_adversarial.txt +77 -0
  25. flintai/data/detector_prompts/llm09_fixed.txt +15 -0
  26. flintai/data/llm01_prompt_injection.csv +6708 -0
  27. flintai/data/llm02_sensitive_information.csv +1069 -0
  28. flintai/data/llm05_unsafe_output.csv +3882 -0
  29. flintai/data/llm06_excessive_agency.csv +778 -0
  30. flintai/data/llm07_system_prompt_leakage.csv +971 -0
  31. flintai/data/llm09_hallucination-goals.csv +32419 -0
  32. flintai/data/llm09_hallucination.csv +599 -0
  33. flintai/data/pii_leakage.csv +706 -0
  34. flintai/data/secret_leakage.csv +1380 -0
  35. flintai/eval/__init__.py +0 -0
  36. flintai/eval/common/converter_anthropic.py +151 -0
  37. flintai/eval/common/converter_genai.py +169 -0
  38. flintai/eval/common/converter_openai.py +165 -0
  39. flintai/eval/common/log.py +96 -0
  40. flintai/eval/common/reference.py +25 -0
  41. flintai/eval/common/schema.py +192 -0
  42. flintai/eval/common/utils.py +74 -0
  43. flintai/eval/core/__init__.py +0 -0
  44. flintai/eval/core/detectors/__init__.py +1 -0
  45. flintai/eval/core/detectors/detector.py +25 -0
  46. flintai/eval/core/detectors/detector_garak.py +80 -0
  47. flintai/eval/core/detectors/detector_model.py +76 -0
  48. flintai/eval/core/detectors/detector_pii.py +64 -0
  49. flintai/eval/core/detectors/detector_secret.py +82 -0
  50. flintai/eval/core/detectors/detector_topic_guard.py +70 -0
  51. flintai/eval/core/detectors/detector_toxicity.py +70 -0
  52. flintai/eval/core/eval/__init__.py +0 -0
  53. flintai/eval/core/eval/eval_creator.py +197 -0
  54. flintai/eval/core/eval/evaluation.py +100 -0
  55. flintai/eval/core/eval/evaluation_adversarial.py +523 -0
  56. flintai/eval/core/eval/evaluation_garak_module.py +52 -0
  57. flintai/eval/core/eval/evaluation_garak_probe.py +274 -0
  58. flintai/eval/core/eval/evaluation_message_list.py +44 -0
  59. flintai/eval/core/eval/evaluation_multi.py +207 -0
  60. flintai/eval/core/eval/evaluation_single.py +79 -0
  61. flintai/eval/core/eval/evaluation_single_prompt.py +58 -0
  62. flintai/eval/core/eval/evaluation_topic_guard.py +318 -0
  63. flintai/eval/core/eval/metric_conciseness.py +181 -0
  64. flintai/eval/core/eval/metric_factual_accuracy.py +294 -0
  65. flintai/eval/core/eval/metric_instruction_adherence.py +180 -0
  66. flintai/eval/core/eval/metric_tone.py +183 -0
  67. flintai/eval/core/eval/metric_toxicity.py +147 -0
  68. flintai/eval/core/eval/observer.py +136 -0
  69. flintai/eval/core/eval/probe_adversarial.py +14 -0
  70. flintai/eval/core/message/__init__.py +0 -0
  71. flintai/eval/core/message/message_collection.py +37 -0
  72. flintai/eval/core/message/message_collection_csv.py +46 -0
  73. flintai/eval/core/message/message_collection_garak.py +52 -0
  74. flintai/eval/core/message/message_collection_memory.py +36 -0
  75. flintai/eval/core/models/__init__.py +0 -0
  76. flintai/eval/core/models/generator_model.py +88 -0
  77. flintai/eval/core/models/model.py +111 -0
  78. flintai/eval/core/models/model_adk.py +158 -0
  79. flintai/eval/core/models/model_anthropic.py +51 -0
  80. flintai/eval/core/models/model_anthropic_agent.py +92 -0
  81. flintai/eval/core/models/model_gemini.py +107 -0
  82. flintai/eval/core/models/model_generic_http.py +117 -0
  83. flintai/eval/core/models/model_huggingface.py +61 -0
  84. flintai/eval/core/models/model_langserve.py +94 -0
  85. flintai/eval/core/models/model_litellm.py +38 -0
  86. flintai/eval/core/models/model_ollama.py +50 -0
  87. flintai/eval/core/models/model_openai.py +35 -0
  88. flintai/eval/core/models/model_openai_agent.py +80 -0
  89. flintai/eval/core/models/model_openai_compatible.py +57 -0
  90. flintai/eval/core/models/model_retry.py +134 -0
  91. flintai/eval/core/models/model_sync_wrapper.py +35 -0
  92. flintai/eval/db/__init__.py +0 -0
  93. flintai/eval/db/base/__init__.py +0 -0
  94. flintai/eval/db/base/detectors/__init__.py +1 -0
  95. flintai/eval/db/base/detectors/detector_helpers.py +78 -0
  96. flintai/eval/db/base/detectors/detector_repository.py +91 -0
  97. flintai/eval/db/base/detectors/detector_types.py +77 -0
  98. flintai/eval/db/base/eval/__init__.py +1 -0
  99. flintai/eval/db/base/eval/eval_helpers.py +227 -0
  100. flintai/eval/db/base/eval/eval_repository.py +115 -0
  101. flintai/eval/db/base/eval/eval_run.py +139 -0
  102. flintai/eval/db/base/eval/eval_types.py +129 -0
  103. flintai/eval/db/base/eval/model_eval_repository.py +78 -0
  104. flintai/eval/db/base/eval/model_eval_run_repository.py +70 -0
  105. flintai/eval/db/base/eval/model_eval_run_result_repository.py +40 -0
  106. flintai/eval/db/base/eval/model_eval_run_result_types.py +21 -0
  107. flintai/eval/db/base/eval/model_eval_run_types.py +84 -0
  108. flintai/eval/db/base/eval/model_eval_types.py +71 -0
  109. flintai/eval/db/base/message/__init__.py +0 -0
  110. flintai/eval/db/base/message/message_collection_helpers.py +61 -0
  111. flintai/eval/db/base/message/message_collection_repository.py +92 -0
  112. flintai/eval/db/base/message/message_collection_types.py +89 -0
  113. flintai/eval/db/base/models/__init__.py +0 -0
  114. flintai/eval/db/base/models/model_helpers.py +172 -0
  115. flintai/eval/db/base/models/model_repository.py +95 -0
  116. flintai/eval/db/base/models/model_types.py +156 -0
  117. flintai/eval/db/json/__init__.py +0 -0
  118. flintai/eval/db/json/repository_json.py +603 -0
  119. flintai/scan/__init__.py +0 -0
  120. flintai/scan/agent_scanner.py +797 -0
  121. flintai/scan/config/agent_opengrep_rules.yaml +533 -0
  122. flintai/scan/config/agent_taxonomy.json +481 -0
  123. flintai/scan/config/agentic_cvss_mapping.yaml +136 -0
  124. flintai/scan/config/compliance_mappings.json +110 -0
  125. flintai/scan/config/triage_prompt.txt +335 -0
  126. flintai/scan/constants.py +15 -0
  127. flintai/scan/file_filter.py +156 -0
  128. flintai/scan/llm_provider.py +197 -0
  129. flintai/scan/opengrep_resolver.py +12 -0
  130. flintai/scan/reasoner.py +552 -0
  131. flintai/scan/schema.py +337 -0
  132. flintai/scan/scorer.py +371 -0
  133. flintai/scan/secret_anonymizer.py +72 -0
  134. flintai/scan/static_scanner.py +542 -0
  135. flintai/scan/taxonomy.py +75 -0
  136. flintai/scan/tool_dispatcher.py +754 -0
  137. flintai/scan/trace_logger.py +118 -0
  138. flintai/scan/trace_logger_file.py +143 -0
  139. flintai/scan/trace_logger_log.py +100 -0
  140. flintai/scan/triage.py +496 -0
  141. flintai/schema.py +58 -0
  142. flintai_cli-1.0.0.dist-info/METADATA +442 -0
  143. flintai_cli-1.0.0.dist-info/RECORD +147 -0
  144. flintai_cli-1.0.0.dist-info/WHEEL +5 -0
  145. flintai_cli-1.0.0.dist-info/entry_points.txt +2 -0
  146. flintai_cli-1.0.0.dist-info/licenses/LICENSE +210 -0
  147. flintai_cli-1.0.0.dist-info/top_level.txt +1 -0
@@ -0,0 +1,481 @@
1
+ {
2
+ "asi01_agent_goal_hijack": {
3
+ "asi_code": "ASI01",
4
+ "asi_title": "Agent Goal Hijack",
5
+ "description": "Attacker manipulates agent objectives or decision path via malicious input content",
6
+ "subcategories": {
7
+ "direct_prompt_injection": {
8
+ "title": "Direct Prompt Injection",
9
+ "description": "User-controlled input flows unsanitized into agent system prompt or LLM call",
10
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
11
+ "severity": "critical",
12
+ "detection_hints": ["f-string with user input in prompt", "format() on prompt string", ".invoke(user_input)", ".run(user_input)"],
13
+ "remediation": "Separate user input from system instructions using distinct message roles. Validate and sanitize all external input before passing to the LLM."
14
+ },
15
+ "indirect_prompt_injection": {
16
+ "title": "Indirect Prompt Injection via Tool Output",
17
+ "description": "Agent processes external tool output or retrieved data containing injected instructions",
18
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
19
+ "severity": "high",
20
+ "detection_hints": [
21
+ "web search tool result fed to LLM",
22
+ "file read tool output not sanitized",
23
+ "email content passed to agent context",
24
+ "external API response injected into prompt"
25
+ ],
26
+ "remediation": "Treat all tool outputs and retrieved content as untrusted data. Filter tool results for injected instructions before feeding back to the agent context."
27
+ },
28
+ "goal_manipulation_via_rag": {
29
+ "title": "Goal Manipulation via RAG or Retrieved Content",
30
+ "description": "Agent retrieves poisoned documents or vector store entries that redirect its objectives",
31
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
32
+ "severity": "high",
33
+ "detection_hints": [
34
+ "RAG retrieval without content validation",
35
+ "vector store results fed directly to agent",
36
+ "unverified document sources in agent context"
37
+ ],
38
+ "remediation": "Validate RAG data sources for integrity. Use multiple independent sources for cross-verification. Lock agent system prompts so goal priorities are explicit and auditable."
39
+ }
40
+ }
41
+ },
42
+ "asi02_tool_misuse": {
43
+ "asi_code": "ASI02",
44
+ "asi_title": "Tool Misuse and Exploitation",
45
+ "description": "Agent uses legitimate tools in unsafe ways due to over-privilege, bad input, or poisoned descriptors",
46
+ "subcategories": {
47
+ "excessive_tool_permissions": {
48
+ "title": "Excessive Tool Permissions",
49
+ "description": "Agent granted tools far beyond what its stated goal requires \u2014 violates least-agency principle",
50
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
51
+ "severity": "high",
52
+ "detection_hints": [
53
+ "shell tool registered on narrow-purpose agent",
54
+ "broad filesystem or DB access for read-only task",
55
+ "admin-level tools granted to customer-facing agent"
56
+ ],
57
+ "remediation": "Apply least-privilege principle: grant only tools the agent's stated purpose requires. Classify tools by risk level and restrict high-impact tools (send, delete, execute) to trusted contexts."
58
+ },
59
+ "unvalidated_tool_input": {
60
+ "title": "Unvalidated Tool Input Parameters",
61
+ "description": "Tool parameters flow from LLM output to function calls without type, range, or semantic validation",
62
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
63
+ "severity": "medium",
64
+ "detection_hints": [
65
+ "no input validation on tool arguments",
66
+ "direct use of LLM-generated args in sensitive functions",
67
+ "no schema enforcement on tool parameters"
68
+ ],
69
+ "remediation": "Validate all tool input parameters for type, range, and format before execution. Use allowlists for permitted values. Block chained command patterns."
70
+ },
71
+ "poisoned_tool_descriptor": {
72
+ "title": "Poisoned or Tampered Tool Descriptor",
73
+ "description": "Tool definition or MCP server descriptor has been modified to redirect agent actions",
74
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
75
+ "severity": "high",
76
+ "detection_hints": [
77
+ "tool definition loaded from external or unverified source",
78
+ "MCP server URL not pinned or verified",
79
+ "dynamic tool registration without manifest signing"
80
+ ],
81
+ "remediation": "Verify tool definitions against a trusted registry. Pin tool versions and validate checksums. Monitor for changes to tool schemas at runtime."
82
+ },
83
+ "path_traversal": {
84
+ "title": "Path Traversal in File Tools",
85
+ "description": "File read/write tools accept paths without sanitization, enabling directory traversal",
86
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
87
+ "severity": "high",
88
+ "detection_hints": [
89
+ "FileReadTool or FileWriteTool with no path restriction",
90
+ "open(path) with path derived from LLM output",
91
+ "no path.resolve() or os.path.abspath() sanitization"
92
+ ],
93
+ "remediation": "Restrict file paths to a sandbox directory using Path.resolve() and startswith() validation. Reject paths containing '..' or absolute paths outside the allowed root."
94
+ }
95
+ }
96
+ },
97
+ "asi03_identity_privilege_abuse": {
98
+ "asi_code": "ASI03",
99
+ "asi_title": "Identity and Privilege Abuse",
100
+ "description": "Agents inherit, reuse, or escalate identities and credentials beyond their functional scope",
101
+ "subcategories": {
102
+ "hardcoded_credentials": {
103
+ "title": "Hardcoded API Keys or Credentials",
104
+ "description": "API keys, tokens, or passwords hardcoded in agent source or config files",
105
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
106
+ "severity": "critical",
107
+ "detection_hints": [
108
+ "api_key= literal string assignment",
109
+ "OPENAI_API_KEY = '...' hardcoded",
110
+ "sk- prefix in source file",
111
+ "password or secret literal in config"
112
+ ],
113
+ "remediation": "Load credentials from environment variables or a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault). Never store API keys, tokens, or passwords in source code."
114
+ },
115
+ "missing_auth_on_endpoint": {
116
+ "title": "Missing Authentication on Agent Endpoint",
117
+ "description": "Agent server or API endpoint exposed without authentication or TLS",
118
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
119
+ "severity": "critical",
120
+ "detection_hints": [
121
+ "app.run() with no auth middleware",
122
+ "uvicorn.run(host='0.0.0.0') with no token check",
123
+ "FastAPI/Flask routes with no authentication decorator",
124
+ "HTTP server binding to 0.0.0.0"
125
+ ],
126
+ "remediation": "Enable TLS on all agent endpoints. Implement authentication (OAuth 2.0, API key verification) and restrict binding to specific network interfaces."
127
+ },
128
+ "over_privileged_agent": {
129
+ "title": "Over-Privileged Agent Role or Identity",
130
+ "description": "Agent role, backstory, or system prompt grants capabilities beyond its functional need",
131
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
132
+ "severity": "high",
133
+ "detection_hints": [
134
+ "allow_delegation=True with no scope restriction",
135
+ "admin or superuser role in backstory",
136
+ "full filesystem access declared in system prompt"
137
+ ],
138
+ "remediation": "Restrict the agent's system prompt and role to only necessary capabilities. Remove broad permissions ('full access', 'admin') from agent instructions."
139
+ },
140
+ "confused_deputy": {
141
+ "title": "Confused Deputy Attack",
142
+ "description": "Agent manipulated into using its legitimate credentials to act on behalf of an attacker",
143
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
144
+ "severity": "high",
145
+ "detection_hints": [
146
+ "agent uses stored OAuth/API credentials without scope check",
147
+ "no action scope restriction on credential-bearing tools",
148
+ "broad API tool access with no per-request authorization"
149
+ ],
150
+ "remediation": "Validate the identity and authorization of all callers before executing actions on their behalf. Use scoped credentials that cannot be reused across contexts."
151
+ },
152
+ "inherited_session_abuse": {
153
+ "title": "Inherited Session or Token Abuse",
154
+ "description": "Agent inherits user session, OAuth token, or SSH key with scope broader than needed",
155
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
156
+ "severity": "high",
157
+ "detection_hints": [
158
+ "agent stores SSH or OAuth tokens in memory",
159
+ "credentials passed across agent boundaries without downscoping",
160
+ "user session token shared between multiple agents"
161
+ ],
162
+ "remediation": "Issue agent-specific credentials with minimal scope instead of inheriting user sessions. Use short-lived tokens and rotate credentials regularly."
163
+ }
164
+ }
165
+ },
166
+ "asi04_supply_chain": {
167
+ "asi_code": "ASI04",
168
+ "asi_title": "Agentic Supply Chain Vulnerabilities",
169
+ "description": "Compromised runtime components \u2014 tools, plugins, MCP servers, deps \u2014 alter agent behavior",
170
+ "subcategories": {
171
+ "unpinned_dependencies": {
172
+ "title": "Unpinned or Overly Broad Dependency Versions",
173
+ "description": "requirements.txt uses unpinned or wildcard versions enabling supply chain substitution",
174
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
175
+ "severity": "high",
176
+ "detection_hints": [
177
+ ">= version constraint on AI framework package",
178
+ "~= or * version in requirements",
179
+ "no version pin on crewai, langchain, openai, anthropic"
180
+ ],
181
+ "remediation": "Pin all dependency versions with == in requirements files. Use a lock file to ensure reproducible builds. Run dependency scanning in CI."
182
+ },
183
+ "known_vulnerable_dependency": {
184
+ "title": "Known Vulnerable Dependency (CVE)",
185
+ "description": "A package in the dependency tree has a known CVE in the OSV/NVD database",
186
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
187
+ "severity": "critical",
188
+ "detection_hints": ["pip-audit findings", "OSV.dev advisory matches"],
189
+ "remediation": "Upgrade the affected package to the fixed version. If no fix exists, evaluate alternatives or apply compensating controls."
190
+ },
191
+ "untrusted_external_tool": {
192
+ "title": "Untrusted or Unverified External Tool/Plugin",
193
+ "description": "Agent dynamically loads tools, MCP servers, or plugins without signature or registry verification",
194
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
195
+ "severity": "high",
196
+ "detection_hints": [
197
+ "MCP server URL loaded from config without pinning",
198
+ "dynamic tool import without hash verification",
199
+ "third-party plugin loaded without signed manifest"
200
+ ],
201
+ "remediation": "Source tools and MCP servers from trusted registries only. Verify signatures and scan code/dependencies before deployment. Proxy agent requests through a gateway."
202
+ }
203
+ }
204
+ },
205
+ "asi05_unexpected_code_execution": {
206
+ "asi_code": "ASI05",
207
+ "asi_title": "Unexpected Code Execution",
208
+ "description": "Agent generates or runs code, commands, or scripts without safe sandboxing or review",
209
+ "subcategories": {
210
+ "arbitrary_code_execution": {
211
+ "title": "Arbitrary Code Execution via Tool or eval()",
212
+ "description": "Agent executes shell commands or eval() with parameters derived from LLM output or user input",
213
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
214
+ "severity": "critical",
215
+ "detection_hints": [
216
+ "eval(x) where x comes from LLM or user",
217
+ "exec(script_content)",
218
+ "subprocess.run(shell=True)",
219
+ "os.system(cmd)",
220
+ "CodeInterpreterTool with no sandbox"
221
+ ],
222
+ "remediation": "Replace eval()/exec() with safe alternatives (ast.literal_eval(), operator-based parsers). Use subprocess with argument lists, never shell=True. Sandbox code execution in containers."
223
+ },
224
+ "unsafe_code_generation": {
225
+ "title": "Generated Code Executed Without Review",
226
+ "description": "Agent-generated code or patches applied directly without human preview or sandboxed testing",
227
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
228
+ "severity": "high",
229
+ "detection_hints": [
230
+ "code generation tool with auto-apply flag",
231
+ "generated patches run without review step",
232
+ "no human_input=True before code execution task"
233
+ ],
234
+ "remediation": "Review all agent-generated code before execution. Run generated code in a sandboxed environment with restricted filesystem and network access."
235
+ },
236
+ "unsafe_deserialization": {
237
+ "title": "Unsafe Deserialization of Agent State",
238
+ "description": "Agent deserializes untrusted data (pickle, YAML load, JSON with class hooks) enabling code execution",
239
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
240
+ "severity": "high",
241
+ "detection_hints": ["pickle.loads() on external data", "yaml.load() without SafeLoader", "json deserialization with object_hook"],
242
+ "remediation": "Replace pickle.loads() with json.loads(). Use yaml.safe_load() instead of yaml.load(). Never deserialize data from untrusted sources."
243
+ }
244
+ }
245
+ },
246
+ "asi06_memory_context_poisoning": {
247
+ "asi_code": "ASI06",
248
+ "asi_title": "Memory and Context Poisoning",
249
+ "description": "Persistent memory, RAG stores, or context summaries poisoned to alter future agent behavior",
250
+ "subcategories": {
251
+ "memory_poisoning": {
252
+ "title": "Agent Memory Poisoning",
253
+ "description": "Persistent agent memory stores unsanitized content that poisons future reasoning sessions",
254
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N",
255
+ "severity": "high",
256
+ "detection_hints": ["memory=True with no content filter", "store_memory() called on unvalidated output", "append to memory without sanitization"],
257
+ "remediation": "Scan all memory writes for malicious content before commit. Track provenance of memory entries. Use expiry and down-weighting for unverified memories."
258
+ },
259
+ "persistent_memory_no_sanitization": {
260
+ "title": "Persistent Memory Without Content Filtering",
261
+ "description": "Agent stores conversation history or tool outputs persistently with no PII or injection filtering",
262
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
263
+ "severity": "medium",
264
+ "detection_hints": [
265
+ "ChromaDB or vector store write without filter",
266
+ "memory=True on CrewAI agent or crew",
267
+ "no content filter before vector store ingestion"
268
+ ],
269
+ "remediation": "Filter PII, credentials, and injection patterns from content before storing in memory. Implement content classification and redaction rules."
270
+ },
271
+ "cross_session_contamination": {
272
+ "title": "Cross-Session or Cross-Tenant Memory Contamination",
273
+ "description": "Shared memory or state between agent sessions exposes data from one user or tenant to another",
274
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
275
+ "severity": "high",
276
+ "detection_hints": [
277
+ "global memory object shared across requests",
278
+ "vector DB without tenant/user isolation",
279
+ "Crew memory=True with shared vector store"
280
+ ],
281
+ "remediation": "Use per-session or per-tenant memory with UUID-based isolation. Clear shared state between sessions. Enforce memory namespace boundaries."
282
+ },
283
+ "rag_poisoning": {
284
+ "title": "RAG Database Poisoning",
285
+ "description": "Attacker injects adversarial content into RAG knowledge base to manipulate agent responses",
286
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
287
+ "severity": "high",
288
+ "detection_hints": [
289
+ "RAG ingestion without source validation",
290
+ "unverified external documents added to vector store",
291
+ "no provenance tracking on RAG entries"
292
+ ],
293
+ "remediation": "Validate and authenticate all documents before indexing into RAG. Implement content integrity checks. Monitor for anomalous insertions into vector stores."
294
+ }
295
+ }
296
+ },
297
+ "asi07_insecure_interagent_comms": {
298
+ "asi_code": "ASI07",
299
+ "asi_title": "Insecure Inter-Agent Communication",
300
+ "description": "Agent-to-agent messages lack authentication, encryption, or semantic validation",
301
+ "subcategories": {
302
+ "unauthenticated_agent_communication": {
303
+ "title": "Unauthenticated Agent-to-Agent Communication",
304
+ "description": "Messages between agents carry no cryptographic identity proof \u2014 any party can spoof an agent",
305
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
306
+ "severity": "high",
307
+ "detection_hints": [
308
+ "agent communication with no sender authentication",
309
+ "GroupChat with no speaker verification",
310
+ "agent messages trusted implicitly by role name"
311
+ ],
312
+ "remediation": "Require mutual authentication (mTLS, signed tokens) for all agent-to-agent communication. Verify sender identity before processing messages."
313
+ },
314
+ "unencrypted_agent_channel": {
315
+ "title": "Unencrypted Agent Communication Channel",
316
+ "description": "Inter-agent communication sent over plain HTTP or unencrypted channels \u2014 susceptible to interception",
317
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
318
+ "severity": "high",
319
+ "detection_hints": [
320
+ "http:// URL used for agent endpoint communication",
321
+ "no TLS configured on agent server",
322
+ "plain socket communication between agents"
323
+ ],
324
+ "remediation": "Use TLS/HTTPS for all inter-agent communication. Never transmit agent messages over plain HTTP. Enable certificate verification."
325
+ },
326
+ "unvalidated_agent_message": {
327
+ "title": "Unvalidated Inter-Agent Message Content",
328
+ "description": "Agent blindly trusts and acts on messages from other agents without semantic or schema validation",
329
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
330
+ "severity": "high",
331
+ "detection_hints": [
332
+ "agent trusts all inputs from upstream agent without validation",
333
+ "no message schema enforcement between agents",
334
+ "inter-agent results used directly without sanity check"
335
+ ],
336
+ "remediation": "Validate all incoming agent messages against an expected schema. Reject messages with unexpected fields, types, or instruction patterns."
337
+ }
338
+ }
339
+ },
340
+ "asi08_cascading_failures": {
341
+ "asi_code": "ASI08",
342
+ "asi_title": "Cascading Failures",
343
+ "description": "Errors in one agent propagate across multi-agent pipelines with compounding destructive impact",
344
+ "subcategories": {
345
+ "unbounded_agent_loop": {
346
+ "title": "Unbounded Agent Execution Loop",
347
+ "description": "Agent loop has no max iteration count or timeout \u2014 enables resource exhaustion or runaway execution",
348
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
349
+ "severity": "medium",
350
+ "detection_hints": ["max_iter not set on agent or crew", "no timeout on agent execution", "while True in agent execution loop"],
351
+ "remediation": "Set max_iterations, max_turns, or recursion_limit on all agent loops. Add timeout mechanisms. Implement circuit breakers to halt runaway execution."
352
+ },
353
+ "missing_circuit_breaker": {
354
+ "title": "Missing Circuit Breaker Between Agents",
355
+ "description": "No isolation or failure boundary between agents \u2014 a failure in one propagates unchecked to all downstream",
356
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
357
+ "severity": "high",
358
+ "detection_hints": [
359
+ "no error handling between agent task calls",
360
+ "agent chain with no retry or fallback logic",
361
+ "downstream agent receives unvalidated upstream output"
362
+ ],
363
+ "remediation": "Add failure isolation boundaries between agents. Implement circuit breakers that trip when error rates exceed thresholds. Limit blast radius of individual agent failures."
364
+ },
365
+ "missing_blast_radius_limit": {
366
+ "title": "No Blast Radius or Rate Limit on Agent Actions",
367
+ "description": "Agent can invoke unlimited downstream actions or API calls without throttling or scope caps",
368
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
369
+ "severity": "high",
370
+ "detection_hints": [
371
+ "no rate limiting on tool invocations",
372
+ "agent spawns sub-agents with no concurrency limit",
373
+ "recursive agent delegation with no depth cap"
374
+ ],
375
+ "remediation": "Set rate limits and quotas on agent API calls and downstream actions. Cap the number of operations per execution cycle."
376
+ }
377
+ }
378
+ },
379
+ "asi09_human_agent_trust_exploitation": {
380
+ "asi_code": "ASI09",
381
+ "asi_title": "Human-Agent Trust Exploitation",
382
+ "description": "Users manipulated into harmful decisions by trusting persuasive or authoritative agent outputs",
383
+ "subcategories": {
384
+ "no_human_in_the_loop": {
385
+ "title": "No Human-in-the-Loop for Sensitive Actions",
386
+ "description": "Agent executes sensitive operations (file write, code exec, payments) without mandatory human approval",
387
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:H/SA:N",
388
+ "severity": "medium",
389
+ "detection_hints": [
390
+ "human_input_mode=NEVER on sensitive agent",
391
+ "no human_input=True on high-impact tasks",
392
+ "auto-approve flag on action-taking agent"
393
+ ],
394
+ "remediation": "Require human approval for sensitive operations (file writes, deletions, payments, code execution). Use approval hooks or human_input_mode settings."
395
+ },
396
+ "sensitive_data_in_output": {
397
+ "title": "Sensitive Data Logged or Output Without Redaction",
398
+ "description": "Agent outputs or logs expose PII, credentials, or confidential data without filtering",
399
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
400
+ "severity": "high",
401
+ "detection_hints": [
402
+ "print(result) with full LLM response",
403
+ "verbose=True on agent handling sensitive context",
404
+ "logging full tool output without PII scrubbing"
405
+ ],
406
+ "remediation": "Implement output filtering to redact PII, credentials, and internal data before returning results. Use DLP rules and pattern-based scrubbing."
407
+ },
408
+ "missing_action_confirmation": {
409
+ "title": "Missing Confirmation Gate for High-Risk Actions",
410
+ "description": "High-impact actions (delete, send, pay, deploy) executed without explicit user confirmation step",
411
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H",
412
+ "severity": "high",
413
+ "detection_hints": [
414
+ "delete or drop operations in agent tool with no confirm step",
415
+ "financial transaction tool without approval gate",
416
+ "deploy or publish action without human sign-off"
417
+ ],
418
+ "remediation": "Add explicit confirmation gates before destructive / high-impact operations (delete, drop, send, deploy). Require user input before proceeding with high-impact actions."
419
+ },
420
+ "persuasive_agent_language": {
421
+ "title": "Persuasive or Manipulative Agent Output Patterns",
422
+ "description": "Agent system prompt or backstory instructs it to use persuasive language that may manipulate users into unsafe decisions",
423
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N",
424
+ "severity": "medium",
425
+ "detection_hints": [
426
+ "backstory instructs agent to be persuasive",
427
+ "goal includes convincing or influencing users",
428
+ "system prompt uses emotional or urgency language"
429
+ ],
430
+ "remediation": "Audit agent system prompts for persuasive or manipulative language patterns. Ensure agent output is factual and neutral, not designed to pressure user decisions."
431
+ }
432
+ }
433
+ },
434
+ "asi10_rogue_agents": {
435
+ "asi_code": "ASI10",
436
+ "asi_title": "Rogue Agents",
437
+ "description": "Compromised or misaligned agents act outside their intended scope without external triggering",
438
+ "subcategories": {
439
+ "missing_kill_switch": {
440
+ "title": "No Kill Switch or Emergency Stop Mechanism",
441
+ "description": "Agent system has no mechanism to immediately halt or terminate agent execution",
442
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H",
443
+ "severity": "high",
444
+ "detection_hints": ["no max_iter or timeout on agent", "no signal handler or shutdown mechanism", "no graceful termination path in agent code"],
445
+ "remediation": "Implement an emergency stop mechanism to immediately halt agent execution across all endpoints. Maintain a centralized policy to disable agents organization-wide."
446
+ },
447
+ "missing_behavioral_guardrails": {
448
+ "title": "No Behavioral Constraints or Guardrails",
449
+ "description": "Agent has no explicit operational constraints \u2014 can take any action its tools allow without scope limits",
450
+ "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
451
+ "severity": "high",
452
+ "detection_hints": [
453
+ "agent goal is open-ended with no explicit action boundaries",
454
+ "no denylist or allowlist on tool usage",
455
+ "system prompt sets no scope restrictions"
456
+ ],
457
+ "remediation": "Define explicit operational constraints in the agent's configuration. Add input and output guardrails. Enforce output schema validation."
458
+ },
459
+ "unchecked_agent_delegation": {
460
+ "title": "Unchecked Agent Delegation",
461
+ "description": "Agent can delegate tasks to sub-agents with no scope, identity, or depth constraints",
462
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
463
+ "severity": "high",
464
+ "detection_hints": [
465
+ "allow_delegation=True with no whitelist",
466
+ "GroupChat with no speaker selection policy",
467
+ "recursive agent spawning with no depth limit"
468
+ ],
469
+ "remediation": "Add callbacks before/after agent calls or input guardrails on delegating agents. Validate delegated tasks against a scope allowlist. Limit delegation depth."
470
+ },
471
+ "missing_agent_monitoring": {
472
+ "title": "No Agent Behavioral Monitoring or Observability",
473
+ "description": "Agent actions, tool calls, and decisions are not logged or monitored \u2014 rogue behavior is undetectable",
474
+ "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
475
+ "severity": "medium",
476
+ "detection_hints": ["no logging of tool invocations", "no audit trail for agent decisions", "verbose=False with no alternative observability"],
477
+ "remediation": "Enable structured logging of all tool invocations, decisions, and outputs. Set verbose=True or integrate with observability platforms. Monitor for behavioral drift."
478
+ }
479
+ }
480
+ }
481
+ }
@@ -0,0 +1,136 @@
1
+ # agentic_cvss_mapping.yaml
2
+ # CVSS v4 base vectors for all OWASP ASI01-ASI10 subcategories.
3
+ #
4
+ # Pattern mirrors the MCP scan agent's cvss_mapping.yaml.
5
+ # compute_cvss() in tool_dispatcher.py loads this file and adjusts
6
+ # vectors based on deployment context flags before computing the score.
7
+ #
8
+ # Vectors are the BASE case (local access, no auth). The compute_cvss()
9
+ # tool adjusts AV, PR, UI, SC/SI/SA based on boolean context flags:
10
+ # exposed_over_network -> AV:N
11
+ # requires_auth -> PR:L
12
+ # user_interaction -> UI:P
13
+ # affects_remote_system -> SC:H / SI:H / SA:H
14
+ #
15
+ # Reference: FIRST.org CVSS v4 specification
16
+ # Taxonomy: OWASP Top 10 for Agentic Applications 2026 (ASI01-ASI10)
17
+
18
+ agentic_cvss_mapping:
19
+
20
+ # ── ASI01: Agent Goal Hijack ──────────────────────────────────────────────
21
+ direct_prompt_injection:
22
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
23
+
24
+ indirect_prompt_injection:
25
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
26
+
27
+ goal_manipulation_via_rag:
28
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
29
+
30
+ # ── ASI02: Tool Misuse and Exploitation ───────────────────────────────────
31
+ excessive_tool_permissions:
32
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
33
+
34
+ unvalidated_tool_input:
35
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
36
+
37
+ poisoned_tool_descriptor:
38
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
39
+
40
+ path_traversal:
41
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
42
+
43
+ # ── ASI03: Identity and Privilege Abuse ───────────────────────────────────
44
+ hardcoded_credentials:
45
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
46
+
47
+ missing_auth_on_endpoint:
48
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
49
+
50
+ over_privileged_agent:
51
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
52
+
53
+ confused_deputy:
54
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
55
+
56
+ inherited_session_abuse:
57
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
58
+
59
+ # ── ASI04: Agentic Supply Chain Vulnerabilities ───────────────────────────
60
+ unpinned_dependencies:
61
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
62
+
63
+ known_vulnerable_dependency:
64
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
65
+
66
+ untrusted_external_tool:
67
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
68
+
69
+ # ── ASI05: Unexpected Code Execution ─────────────────────────────────────
70
+ arbitrary_code_execution:
71
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
72
+
73
+ unsafe_code_generation:
74
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
75
+
76
+ unsafe_deserialization:
77
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
78
+
79
+ # ── ASI06: Memory and Context Poisoning ───────────────────────────────────
80
+ memory_poisoning:
81
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N
82
+
83
+ persistent_memory_no_sanitization:
84
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
85
+
86
+ cross_session_contamination:
87
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
88
+
89
+ rag_poisoning:
90
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
91
+
92
+ # ── ASI07: Insecure Inter-Agent Communication ─────────────────────────────
93
+ unauthenticated_agent_communication:
94
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
95
+
96
+ unencrypted_agent_channel:
97
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
98
+
99
+ unvalidated_agent_message:
100
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
101
+
102
+ # ── ASI08: Cascading Failures ─────────────────────────────────────────────
103
+ unbounded_agent_loop:
104
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
105
+
106
+ missing_circuit_breaker:
107
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H
108
+
109
+ missing_blast_radius_limit:
110
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H
111
+
112
+ # ── ASI09: Human-Agent Trust Exploitation ─────────────────────────────────
113
+ no_human_in_the_loop:
114
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:H/SA:N
115
+
116
+ sensitive_data_in_output:
117
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
118
+
119
+ missing_action_confirmation:
120
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H
121
+
122
+ persuasive_agent_language:
123
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N
124
+
125
+ # ── ASI10: Rogue Agents ───────────────────────────────────────────────────
126
+ missing_kill_switch:
127
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H
128
+
129
+ missing_behavioral_guardrails:
130
+ vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
131
+
132
+ unchecked_agent_delegation:
133
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N
134
+
135
+ missing_agent_monitoring:
136
+ vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N