If OWASP's Agentic Top 10 is the checklist security teams reference, DASF v3.0 is the enterprise implementation guide data and ML engineering teams will use to operationalize it. The two frameworks complement each other — and both map directly to what SkillShield scans for.
What DASF v3.0 Covers
The 35 new risks are organized around three sub-components that map to how AI agents actually work:
13A: Agent Reasoning Risks
These target the agent's decision-making loop:
- Memory Poisoning (Risk 13.1) — false context injected into agent memory that alters current or future decisions
- Cascading Hallucination Attacks (Risk 13.5) — a minor error compounds across multi-turn reasoning loops into destructive actions
- Intent Breaking & Goal Manipulation (Risk 13.6) — coercing the agent into deviating from its objective
13B: MCP Server Risks (the tool interface)
These target the tools agents connect to:
- Tool Poisoning (Risk 13.18) — malicious behavior injected into tool definitions
- Prompt Injection via Tool Descriptions (Risk 13.16) — bypassing security controls through crafted tool metadata
13C: MCP Client Risks (the connection layer)
These target how agents connect to tools:
- Malicious Server (Risk 13.26) — connecting to a compromised or impersonating MCP server
- Client-Side Code Execution (Risk 13.32) — executing malicious code received from a tool server
- Data Leakage (Risk 13.30) — sensitive data exposed through the agent-tool communication channel
Inter-Agent Risks
- Agent Communication Poisoning (Risk 13.12) — injecting malicious messages into agent-to-agent communication
- Rogue Agents (Risk 13.13) — agents operating outside monitoring boundaries in multi-agent systems
The Lethal Trifecta
DASF v3.0 highlights a critical concept from Meta's "Agents Rule of Two" and Simon Willison's research: the Lethal Trifecta. The risk profile spikes when three conditions are present simultaneously:
- Access to sensitive systems or private data
- Processing untrustworthy inputs (external prompts, web content, emails)
- Ability to change state or communicate externally (execute code, send emails, modify databases)
When all three are present, an indirect prompt injection embedded in untrusted data can hijack the agent's full capability set. Remove any single leg — by scoping permissions, adding a human checkpoint, or validating intent before tool selection — and the attack chain breaks.
This framing is directly relevant to skill scanning: SkillShield identifies skills that create condition #1 (excessive permissions) and condition #2 (untrusted inputs through poisoned tool descriptions), helping you break the trifecta before it forms.
The 6 New Controls
| Control | DASF ID | What It Does |
|---|---|---|
| Least privilege for tools | DASF 5, 57, 64 | Scope agent permissions to immediate task |
| Human-in-the-loop oversight | DASF 66 | Require human verification for high-stakes actions |
| Sandboxing and isolation | DASF 34, 62 | Agent code runs in ephemeral, isolated environments |
| AI Gateway and Guardrails | DASF 54 | Monitoring, safety filtering, PII detection |
| Observability of thought | DASF 65 | Capture why the agent acted — planning steps, reasoning |
| Supply chain scanning | — | Validate tools and MCP servers before connecting |
Where SkillShield Maps to DASF v3.0
Direct Coverage
| DASF Risk | Risk ID | SkillShield Detection |
|---|---|---|
| Tool Poisoning | 13.18 | Prompt injection detection in tool descriptions and SKILL.md |
| Prompt Injection in Tool Descriptions | 13.16 | Direct scanning target — hidden instructions in metadata |
| Malicious Server | 13.26 | Known malicious database (533 blocked), typosquat detection |
| Client-Side Code Execution | 13.32 | Dangerous code patterns: eval, exec, shell invocation |
| Data Leakage via Tool | 13.30 | Hard-coded secrets detection, excessive permission flagging |
Partial Coverage (Pre-Installation Layer)
| DASF Risk | Risk ID | SkillShield Contribution |
|---|---|---|
| Memory Poisoning | 13.1 | Catches poisoned tool descriptions that inject false context |
| Intent Breaking | 13.6 | Detects cross-tool manipulation in skill definitions |
| Rogue Agents | 13.13 | Blocks malicious skills that could compromise agents |
DASF v3.0 vs OWASP Agentic Top 10
| Dimension | OWASP Agentic Top 10 | DASF v3.0 |
|---|---|---|
| Audience | Security teams, developers | Data/ML engineering, enterprise security |
| Format | 10 risk categories (ASI01-ASI10) | 35 specific risks + 6 controls |
| Granularity | Category-level guidance | Risk-ID-level with control mappings |
| MCP coverage | ASI04 names MCP supply chain | Dedicated 13B (server) and 13C (client) sections |
| Industry mapping | Standalone | Maps to MITRE ATLAS, OWASP, NIST, CSA |
Breaking the Lethal Trifecta with Pre-Install Scanning
The practical takeaway from DASF v3.0: scan your tools before they get access to your systems.
Every MCP server and agent skill you connect creates the potential for the Lethal Trifecta. SkillShield breaks leg #1 (excessive access) by flagging over-permissioned tools and breaks leg #2 (untrusted inputs) by catching poisoned tool descriptions — before the skill is installed.
npm install -g skillshield
skillshield scan ./SKILL.md