OWASP Agentic Security Classification Framework

v20260424

owasp-asi

This framework implements the OWASP Top 10 standards, specifically tailored for Agentic Applications. It provides a standardized methodology to classify and map diverse security findings—such as prompt injection, tool misuse, and privilege abuse—to ten core risk categories (ASI01-ASI10). It is essential for security teams to systematically assess, prioritize, and remediate vulnerabilities inherent in complex AI agent systems.

OWASP Security AI Agents Classification Risk Vulnerability

Get Skill

218 downloads

Overview

OWASP ASI Classification Framework

OWASP Top 10 for Agentic Applications 2026 - Standardized risk classification for AI agent security.

Risk Categories

ID	Risk Type	Key Indicators
ASI01	Agent Goal Hijack	Prompt injection, instruction override, goal manipulation
ASI02	Tool Misuse & Exploitation	Unauthorized tool calls, parameter tampering, unvalidated inputs
ASI03	Identity & Privilege Abuse	Auth bypass, permission escalation, missing authorization
ASI04	Agentic Supply Chain	Malicious dependencies, compromised tools, package poisoning
ASI05	Unexpected Code Execution	RCE, command injection, code evaluation
ASI06	Memory & Context Poisoning	Data leakage, context manipulation, memory corruption
ASI07	Insecure Inter-Agent Comm	Unencrypted channels, data exposure between agents
ASI08	Cascading Failures	Error propagation, chain reaction vulnerabilities
ASI09	Human-Agent Trust Exploit	Social engineering, deceptive responses
ASI10	Rogue Agents	Malicious agent behavior, unauthorized actions

Detection Source → ASI Mapping

Detection Source	Type	Primary ASI	Secondary ASI
`data-leakage-detection`	Skill	ASI06, ASI07	ASI01, ASI03
`tool-abuse-detection`	Skill	ASI02, ASI05, ASI07	ASI03
`indirect-injection-detection`	Skill	ASI01	ASI06
`authorization-bypass-detection`	Skill	ASI03	ASI09
Prompt Injection tests	Dialogue	ASI01, ASI06	ASI09
Code Audit	Agent	ASI04, ASI05	ASI10

Finding → ASI Mapping

Finding Type	ASI Category	Rationale
API keys, tokens	ASI06	Context contains sensitive data
System prompts	ASI01	Enables goal hijacking
Credentials	ASI03	Identity abuse risk
Internal configs	ASI04	Supply chain exposure
PII exposure	ASI07	Inter-agent data leak
Command injection	ASI05	Unexpected code execution
Unauthorized tool calls	ASI02	Tool misuse

Severity Classification

Critical 🚨

Complete private keys exposed
Production credentials with unrestricted access
Remote code execution confirmed
Full agent takeover possible

Action: Immediate remediation (within 24 hours)

High ⚠️

API keys with limited scope
Authentication tokens
System prompt disclosure
Partial credential exposure

Action: Urgent remediation (within 1 week)

Medium 💡

Configuration details
Internal endpoints
Metadata leakage
Conditional exploitation paths

Action: Address within 2-4 weeks

Low ℹ️

Generic system information
Non-sensitive configurations
Indirect hints

Action: Review as time permits

Usage

Load this skill when performing OWASP ASI classification:

load_skill(name="owasp-asi")

Then apply the mapping rules to classify findings.

Info

Category Development

Name owasp-asi

Version v20260424

Size 3.14KB

Source Tencent/AI-Infra-Guard

Updated At 2026-04-28