安全助手
- 作者仓库星标 33,685
- 作者更新于 实时读取
- 作者仓库 awesome-copilot
- 领域
- AI 智能
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @github · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- Python
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: agent-owasp-compliance
description: | Evaluate AI agent systems against the OWASP Agentic Security Initiative (ASI) Top 10 — the ind…
category: AI 智能
runtime: Python
---
# agent-owasp-compliance 输出预览
## PART A: 任务判断
- 适用问题:提示词、Agent 工作流、模型评估或自动化推理。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Overview / The 10 Risks / Check ASI-01: Prompt Injection Protection”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于提示词、Agent 工作流、模型评估或自动化推理,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Overview / The 10 Risks / Check ASI-01: Prompt Injection Protection”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令。
先用一个小任务确认它会围绕“Overview / The 10 Risks / Check ASI-01: Prompt Injection Protection”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: agent-owasp-compliance
description: | Evaluate AI agent systems against the OWASP Agentic Security Initiative (ASI) Top 10 — the ind…
category: AI 智能
source: github/awesome-copilot
---
# agent-owasp-compliance
## 什么时候使用
- 把 AI / Agent方向的常用动作沉淀成 Agent 可调用的技能 适合处理AI Agent、提示词、模型评估与自动化推理,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查…
- 面向提示词、Agent 工作流、模型评估或自动化推理,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Overview / The 10 Risks / Check ASI-01: Prompt Injection Protection」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "agent-owasp-compliance" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Overview / The 10 Risks / Check ASI-01: Prompt Injection Protection
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Python | 读取文件、写入/修改文件、执行终端命令 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Agent OWASP ASI Compliance Check
Evaluate AI agent systems against the OWASP Agentic Security Initiative (ASI) Top 10 — the industry standard for agent security posture.
Overview
The OWASP ASI Top 10 defines the critical security risks specific to autonomous AI agents — not LLMs, not chatbots, but agents that call tools, access systems, and act on behalf of users. This skill checks whether your agent implementation addresses each risk.
Codebase → Scan for each ASI control:
ASI-01: Prompt Injection Protection
ASI-02: Tool Use Governance
ASI-03: Agency Boundaries
ASI-04: Escalation Controls
ASI-05: Trust Boundary Enforcement
ASI-06: Logging & Audit
ASI-07: Identity Management
ASI-08: Policy Integrity
ASI-09: Supply Chain Verification
ASI-10: Behavioral Monitoring
→ Generate Compliance Report (X/10 covered)
The 10 Risks
| Risk | Name | What to Look For |
|---|---|---|
| ASI-01 | Prompt Injection | Input validation before tool calls, not just LLM output filtering |
| ASI-02 | Insecure Tool Use | Tool allowlists, argument validation, no raw shell execution |
| ASI-03 | Excessive Agency | Capability boundaries, scope limits, principle of least privilege |
| ASI-04 | Unauthorized Escalation | Privilege checks before sensitive operations, no self-promotion |
| ASI-05 | Trust Boundary Violation | Trust verification between agents, signed credentials, no blind trust |
| ASI-06 | Insufficient Logging | Structured audit trail for all tool calls, tamper-evident logs |
| ASI-07 | Insecure Identity | Cryptographic agent identity, not just string names |
| ASI-08 | Policy Bypass | Deterministic policy enforcement, no LLM-based permission checks |
| ASI-09 | Supply Chain Integrity | Signed plugins/tools, integrity verification, dependency auditing |
| ASI-10 | Behavioral Anomaly | Drift detection, circuit breakers, kill switch capability |
Check ASI-01: Prompt Injection Protection
Look for input validation that runs before tool execution, not after LLM generation.
import re
from pathlib import Path
def check_asi_01(project_path: str) -> dict:
"""ASI-01: Is user input validated before reaching tool execution?"""
positive_patterns = [
"input_validation", "validate_input", "sanitize",
"classify_intent", "prompt_injection", "threat_detect",
"PolicyEvaluator", "PolicyEngine", "check_content",
]
negative_patterns = [
r"eval\(", r"exec\(", r"subprocess\.run\(.*shell=True",
r"os\.system\(",
]
# Scan Python files for signals
root = Path(project_path)
positive_matches = []
negative_matches = []
for py_file in root.rglob("*.py"):
content = py_file.read_text(errors="ignore")
for pattern in positive_patterns:
if pattern in content:
positive_matches.append(f"{py_file.name}: {pattern}")
for pattern in negative_patterns:
if re.search(pattern, content):
negative_matches.append(f"{py_file.name}: {pattern}")
positive_found = len(positive_matches) > 0
negative_found = len(negative_matches) > 0
return {
"risk": "ASI-01",
"name": "Prompt Injection",
"status": "pass" if positive_found and not negative_found else "fail",
"controls_found": positive_matches,
"vulnerabilities": negative_matches,
"recommendation": "Add input validation before tool execution, not just output filtering"
}
What passing looks like:
# GOOD: Validate before tool execution
result = policy_engine.evaluate(user_input)
if result.action == "deny":
return "Request blocked by policy"
tool_result = await execute_tool(validated_input)
What failing looks like:
# BAD: User input goes directly to tool
tool_result = await execute_tool(user_input) # No validation
Check ASI-02: Insecure Tool Use
Verify tools have allowlists, argument validation, and no unrestricted execution.
What to search for:
- Tool registration with explicit allowlists (not open-ended)
- Argument validation before tool execution
- No
subprocess.run(shell=True)with user-controlled input - No
eval()orexec()on agent-generated code without sandbox
Passing example:
ALLOWED_TOOLS = {"search", "read_file", "create_ticket"}
def execute_tool(name: str, args: dict):
if name not in ALLOWED_TOOLS:
raise PermissionError(f"Tool '{name}' not in allowlist")
# validate args...
return tools[name](**validated_args)
Check ASI-03: Excessive Agency
Verify agent capabilities are bounded — not open-ended.
What to search for:
- Explicit capability lists or execution rings
- Scope limits on what the agent can access
- Principle of least privilege applied to tool access
Failing: Agent has access to all tools by default. Passing: Agent capabilities defined as a fixed allowlist, unknown tools denied.
Check ASI-04: Unauthorized Escalation
Verify agents cannot promote their own privileges.
What to search for:
- Privilege level checks before sensitive operations
- No self-promotion patterns (agent changing its own trust score or role)
- Escalation requires external attestation (human or SRE witness)
Failing: Agent can modify its own configuration or permissions. Passing: Privilege changes require out-of-band approval (e.g., Ring 0 requires SRE attestation).
Check ASI-05: Trust Boundary Violation
In multi-agent systems, verify that agents verify each other's identity before accepting instructions.
What to search for:
- Agent identity verification (DIDs, signed tokens, API keys)
- Trust score checks before accepting delegated tasks
- No blind trust of inter-agent messages
- Delegation narrowing (child scope <= parent scope)
Passing example:
def accept_task(sender_id: str, task: dict):
trust = trust_registry.get_trust(sender_id)
if not trust.meets_threshold(0.7):
raise PermissionError(f"Agent {sender_id} trust too low: {trust.current()}")
if not verify_signature(task, sender_id):
raise SecurityError("Task signature verification failed")
return process_task(task)
Check ASI-06: Insufficient Logging
Verify all agent actions produce structured, tamper-evident audit entries.
What to search for:
- Structured logging for every tool call (not just print statements)
- Audit entries include: timestamp, agent ID, tool name, args, result, policy decision
- Append-only or hash-chained log format
- Logs stored separately from agent-writable directories
Failing: Agent actions logged via print() or not logged at all.
Passing: Structured JSONL audit trail with chain hashes, exported to secure storage.
Check ASI-07: Insecure Identity
Verify agents have cryptographic identity, not just string names.
Failing indicators:
- Agent identified by
agent_name = "my-agent"(string only) - No authentication between agents
- Shared credentials across agents
Passing indicators:
- DID-based identity (
did:web:,did:key:) - Ed25519 or similar cryptographic signing
- Per-agent credentials with rotation
- Identity bound to specific capabilities
Check ASI-08: Policy Bypass
Verify policy enforcement is deterministic — not LLM-based.
What to search for:
- Policy evaluation uses deterministic logic (YAML rules, code predicates)
- No LLM calls in the enforcement path
- Policy checks cannot be skipped or overridden by the agent
- Fail-closed behavior (if policy check errors, action is denied)
Failing: Agent decides its own permissions via prompt ("Am I allowed to...?"). Passing: PolicyEvaluator.evaluate() returns allow/deny in <0.1ms, no LLM involved.
Check ASI-09: Supply Chain Integrity
Verify agent plugins and tools have integrity verification.
What to search for:
INTEGRITY.jsonor manifest files with SHA-256 hashes- Signature verification on plugin installation
- Dependency pinning (no
@latest,>=without upper bound) - SBOM generation
Check ASI-10: Behavioral Anomaly
Verify the system can detect and respond to agent behavioral drift.
What to search for:
- Circuit breakers that trip on repeated failures
- Trust score decay over time (temporal decay)
- Kill switch or emergency stop capability
- Anomaly detection on tool call patterns (frequency, targets, timing)
Failing: No mechanism to stop a misbehaving agent automatically. Passing: Circuit breaker trips after N failures, trust decays without activity, kill switch available.
Compliance Report Format
# OWASP ASI Compliance Report
Generated: 2026-04-01
Project: my-agent-system
## Summary: 7/10 Controls Covered
| Risk | Status | Finding |
|------|--------|---------|
| ASI-01 Prompt Injection | PASS | PolicyEngine validates input before tool calls |
| ASI-02 Insecure Tool Use | PASS | Tool allowlist enforced in governance.py |
| ASI-03 Excessive Agency | PASS | Execution rings limit capabilities |
| ASI-04 Unauthorized Escalation | PASS | Ring promotion requires attestation |
| ASI-05 Trust Boundary | FAIL | No identity verification between agents |
| ASI-06 Insufficient Logging | PASS | AuditChain with SHA-256 chain hashes |
| ASI-07 Insecure Identity | FAIL | Agents use string names, no crypto identity |
| ASI-08 Policy Bypass | PASS | Deterministic PolicyEvaluator, no LLM in path |
| ASI-09 Supply Chain | FAIL | No integrity manifests or plugin signing |
| ASI-10 Behavioral Anomaly | PASS | Circuit breakers and trust decay active |
## Critical Gaps
- ASI-05: Add agent identity verification using DIDs or signed tokens
- ASI-07: Replace string agent names with cryptographic identity
- ASI-09: Generate INTEGRITY.json manifests for all plugins
## Recommendation
Install agent-governance-toolkit for reference implementations of all 10 controls:
pip install agent-governance-toolkit
Quick Assessment Questions
Use these to rapidly assess an agent system:
- Does user input pass through validation before reaching any tool? (ASI-01)
- Is there an explicit list of what tools the agent can call? (ASI-02)
- Can the agent do anything, or are its capabilities bounded? (ASI-03)
- Can the agent promote its own privileges? (ASI-04)
- Do agents verify each other's identity before accepting tasks? (ASI-05)
- Is every tool call logged with enough detail to replay it? (ASI-06)
- Does each agent have a unique cryptographic identity? (ASI-07)
- Is policy enforcement deterministic (not LLM-based)? (ASI-08)
- Are plugins/tools integrity-verified before use? (ASI-09)
- Is there a circuit breaker or kill switch? (ASI-10)
If you answer "no" to any of these, that's a gap to address.
Related Resources
- OWASP Agentic AI Threats
- Agent Governance Toolkit — Reference implementation covering 10/10 ASI controls
- agent-governance skill — Governance patterns for agent systems
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核