OWASP ASI04 Compliance: How SkillShield Maps to the Agent Security Standard
SkillShield Research Team
Security Research
The First Industry Standard for AI Agent Security
In early 2026, OWASP launched the Agent Security Initiative (ASI) — the first comprehensive security standard for AI agent systems. ASI04 specifically addresses agent tool and skill security, defining requirements for scanning, validation, and runtime protection.
Why this matters: ASI04 is becoming the baseline for enterprise agent deployments. Vendors are being asked "Are you ASI04 compliant?" in security reviews. Understanding the standard — and how your tooling maps to it — is now essential.
This guide explains OWASP ASI04's requirements and how SkillShield helps you meet them.
What Is OWASP ASI04?
The Standard
ASI04: Agent Tool and Skill Security is part of OWASP's broader Agent Security Initiative. It defines security requirements for:
- Tool and skill validation
- Supply chain security
- Runtime behavior monitoring
- Access control and permissions
Core Requirements (Simplified)
| Requirement | Description | SkillShield Role |
|---|---|---|
| ASI04.1 | Pre-deployment tool scanning | ✅ Primary coverage |
| ASI04.2 | Supply chain verification | ✅ Dependency scanning |
| ASI04.3 | Runtime behavior monitoring | ⚠️ Complementary (with ClawMoat) |
| ASI04.4 | Permission and capability review | ✅ Permission analysis |
| ASI04.5 | Anomaly detection | ⚠️ Complementary (with ClawMoat) |
| ASI04.6 | Audit logging and forensics | ✅ Scan logging |
SkillShield directly addresses 4 of 6 requirements and complements the remaining 2.
Deep Dive: SkillShield + ASI04 Mapping
ASI04.1: Pre-Deployment Tool Scanning
Requirement:
"All tools and skills must be scanned for security vulnerabilities, malicious code, and policy violations before deployment to production environments."
What it means:
- No tool runs without prior security review
- Static analysis of tool code
- Detection of known vulnerabilities
- Policy compliance checks
SkillShield Implementation:
# Pre-deployment scan
skillshield scan ./my-tool/
# Output:
╔════════════════════════════════════════════════════════╗
║ Tool: my-tool v1.2.0 ║
║ Risk Score: 23/100 🟢 LOW ║
║ ║
║ ✅ No malicious patterns detected ║
║ ✅ No known vulnerabilities ║
║ ✅ Policy compliance: PASSED ║
╚════════════════════════════════════════════════════════╝
ASI04.1 Compliance:
- ✅ Static code analysis
- ✅ Vulnerability detection
- ✅ Policy enforcement
- ✅ Risk scoring
- ✅ Pass/fail gates
CI/CD Integration:
# .github/workflows/asi04-compliance.yml
- name: ASI04.1 Pre-Deployment Scan
run: |
skillshield scan ./tools/ --fail-on medium
skillshield scan ./skills/ --fail-on medium
ASI04.2: Supply Chain Verification
Requirement:
"All dependencies and third-party components must be verified for integrity, authenticity, and known security issues."
What it means:
- Dependency tree analysis
- Known vulnerability checking
- License compliance
- Provenance verification
SkillShield Implementation:
# Deep dependency scan
skillshield scan --deep ./my-tool/
# Analyzes:
# - Direct dependencies
# - Transitive dependencies
# - Known CVEs in dependency tree
# - License conflicts
ASI04.2 Compliance:
- ✅ Full dependency tree analysis
- ✅ CVE database integration
- ✅ License scanning
- ✅ Integrity verification
Report Example:
{
"asi04.2_compliance": {
"status": "COMPLIANT",
"dependencies_scanned": 47,
"vulnerabilities_found": 2,
"critical": 0,
"high": 1,
"medium": 1,
"recommended_action": "Update lodash to 4.17.21"
}
}
ASI04.3: Runtime Behavior Monitoring
Requirement:
"Agent tool execution must be monitored for anomalous behavior, unauthorized actions, and policy violations during runtime."
What it means:
- Real-time execution monitoring
- Behavioral baselines
- Anomaly detection
- Policy enforcement at runtime
SkillShield Role:
SkillShield focuses on pre-deployment scanning. For ASI04.3 runtime monitoring, SkillShield integrates with complementary tools like ClawMoat:
┌─────────────────────────────────────────────────────────────┐
│ ASI04.3 Runtime Monitoring Architecture │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ SkillShield │ │ ClawMoat │ │
│ │ Pre-deploy │ │ Runtime │ │
│ │ Scan Results │──────► │ Monitor │ │
│ └──────────────┘ └──────────────┘ │
│ │ │ │
│ │ Risk profile │ Behavioral rules │
│ │ informs │ enforce │
│ ▼ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ Combined ASI04.3 Coverage │ │
│ └──────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Integration Example:
# Runtime config informed by SkillShield scan
clawmoat:
rules:
- tool: database-query
allowed_operations: ["SELECT"] # From SkillShield permission analysis
max_rows: 1000 # From SkillShield risk profile
forbidden_patterns: # From SkillShield content scan
- "DROP"
- "DELETE"
ASI04.3 Coverage:
- ⚠️ SkillShield provides risk profiles
- ⚠️ ClawMoat (complementary) provides runtime monitoring
- ✅ Together: Full ASI04.3 compliance
ASI04.4: Permission and Capability Review
Requirement:
"Tools must operate with minimum necessary permissions. All capabilities and access rights must be reviewed and justified."
What it means:
- Least privilege enforcement
- Permission auditing
- Capability justification
- Regular access reviews
SkillShield Implementation:
# Permission analysis
skillshield scan --permissions ./my-tool/
# Output:
Tool: my-tool
Requested Permissions:
✅ filesystem:read (justified: reads config files)
⚠️ filesystem:write (questionable: only writes logs)
🔴 network:all (excessive: only needs api.github.com)
✅ database:read (justified: core functionality)
Recommendations:
1. Restrict filesystem:write to /logs/ directory
2. Replace network:all with ["api.github.com"]
ASI04.4 Compliance:
- ✅ Permission inventory
- ✅ Risk scoring per permission
- ✅ Excessive permission detection
- ✅ Justification requirements
- ✅ Remediation guidance
Policy Enforcement:
{
"policy": {
"asi04.4_minimum_privilege": {
"forbidden_permissions": ["network:*", "filesystem:write/*"],
"require_justification": ["database:write", "filesystem:write"]
}
}
}
ASI04.5: Anomaly Detection
Requirement:
"Systems must detect and respond to unusual tool usage patterns, unauthorized access attempts, and deviation from established baselines."
What it means:
- Behavioral baselines
- Statistical anomaly detection
- Alerting on deviations
- Automated response
SkillShield Role:
SkillShield provides baseline establishment through comprehensive scanning:
# Establish baseline
skillshield scan --baseline ./production-tools/ > asi04.5-baseline.json
# Contents:
{
"baseline_id": "prod-tools-v2.1",
"established": "2026-03-20",
"tools": [
{
"name": "database-query",
"permissions": ["database:read"],
"typical_queries": ["SELECT * FROM users"],
"execution_time_avg": 45,
"execution_time_p95": 120
}
]
}
Runtime Comparison:
# Runtime tool call
if tool.execution_time > baseline.execution_time_p95 * 2:
alert("ASI04.5 Anomaly: Query time exceeded 2x baseline")
ASI04.5 Coverage:
- ⚠️ SkillShield establishes baselines
- ⚠️ ClawMoat (complementary) provides real-time detection
- ✅ Together: Full ASI04.5 compliance
ASI04.6: Audit Logging and Forensics
Requirement:
"All tool activities, security events, and policy decisions must be logged with sufficient detail for forensic analysis and compliance reporting."
What it means:
- Comprehensive audit logs
- Immutable log storage
- Forensic detail level
- Compliance reporting
SkillShield Implementation:
# Scan with full audit logging
skillshield scan ./tool/ --audit-log asi04.6-audit.json
# Log contents:
{
"scan_id": "scan_20260320_001",
"timestamp": "2026-03-20T14:32:00Z",
"tool": "my-tool",
"version": "1.2.0",
"initiated_by": "ci/cd-pipeline",
"findings": [...],
"risk_score": 23,
"compliance": {
"asi04.1": "PASSED",
"asi04.2": "PASSED",
"asi04.4": "PASSED"
}
}
ASI04.6 Compliance:
- ✅ Immutable scan logs
- ✅ Forensic detail
- ✅ Compliance reporting
- ✅ SIEM integration
SIEM Integration:
# Forward to Splunk
cat asi04.6-audit.json | splunk forward --index security
# Forward to Datadog
cat asi04.6-audit.json | datadog logs --service skillshield
Complete ASI04 Compliance with SkillShield
Architecture
┌─────────────────────────────────────────────────────────────┐
│ ASI04 Compliance Stack │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ SkillShield (Pre-Deployment) │ │
│ │ • ASI04.1: Tool scanning │ │
│ │ • ASI04.2: Supply chain verification │ │
│ │ • ASI04.4: Permission review │ │
│ │ • ASI04.6: Audit logging │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ ClawMoat (Runtime) — Optional │ │
│ │ • ASI04.3: Behavior monitoring │ │
│ │ • ASI04.5: Anomaly detection │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ ASI04 Compliance Report │ │
│ │ • 4/6 direct coverage (SkillShield) │ │
│ │ • 6/6 with ClawMoat integration │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Compliance Report Generation
# Generate full ASI04 report
skillshield compliance owasp-asi04 --output report.json
# Contents:
{
"standard": "OWASP ASI04",
"assessment_date": "2026-03-20",
"overall_status": "COMPLIANT",
"requirements": {
"ASI04.1": {
"status": "COMPLIANT",
"evidence": "Pre-deployment scanning active",
"tool": "SkillShield"
},
"ASI04.2": {
"status": "COMPLIANT",
"evidence": "Dependency scanning enabled",
"tool": "SkillShield"
},
"ASI04.3": {
"status": "PARTIAL",
"evidence": "Requires ClawMoat integration",
"recommendation": "Deploy ClawMoat for full coverage"
},
"ASI04.4": {
"status": "COMPLIANT",
"evidence": "Permission analysis implemented",
"tool": "SkillShield"
},
"ASI04.5": {
"status": "PARTIAL",
"evidence": "Baselines established, runtime detection needed",
"recommendation": "Deploy ClawMoat for full coverage"
},
"ASI04.6": {
"status": "COMPLIANT",
"evidence": "Audit logging configured",
"tool": "SkillShield"
}
},
"recommendations": [
"Integrate ClawMoat for ASI04.3 and ASI04.5 coverage"
]
}
Implementation Guide
Step 1: Enable ASI04 Mode
# Configure SkillShield for ASI04 compliance
skillshield config set compliance.mode owasp-asi04
skillshield config set compliance.strict true
Step 2: CI/CD Integration
# .github/workflows/asi04-compliance.yml
name: OWASP ASI04 Compliance
on: [push, pull_request]
jobs:
asi04-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install SkillShield
run: npm install -g @skillshield/cli
- name: ASI04.1 Pre-Deployment Scan
run: skillshield scan ./tools/ --compliance asi04.1
- name: ASI04.2 Supply Chain Verification
run: skillshield scan --deep ./ --compliance asi04.2
- name: ASI04.4 Permission Review
run: skillshield scan --permissions ./tools/ --compliance asi04.4
- name: Generate Compliance Report
run: skillshield compliance owasp-asi04 --output asi04-report.json
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: asi04-compliance-report
path: asi04-report.json
Step 3: Runtime Integration (Optional)
For full ASI04.3 and ASI04.5 coverage:
# docker-compose.yml
services:
skillshield:
image: skillshield/scanner:latest
volumes:
- ./scans:/scans
clawmoat:
image: clawmoat/runtime:latest
environment:
- SKILLSHIELD_BASELINE=/scans/baseline.json
Step 4: Audit Logging
# Configure SIEM integration
skillshield config set audit.destination splunk
skillshield config set audit.splunk.url https://splunk.company.com
skillshield config set audit.splunk.token $SPLUNK_TOKEN
Frequently Asked Questions
"Does SkillShield make us fully ASI04 compliant?"
Answer: SkillShield provides direct coverage for 4 of 6 ASI04 requirements (ASI04.1, ASI04.2, ASI04.4, ASI04.6). For full compliance including runtime monitoring (ASI04.3) and anomaly detection (ASI04.5), integrate with ClawMoat or similar runtime protection.
"Is ASI04 certification required?"
Answer: ASI04 is an emerging standard. While not legally mandated, enterprise customers increasingly require ASI04 compliance in security questionnaires. Early adoption provides competitive advantage.
"How does this compare to SOC 2?"
Answer: ASI04 is specific to AI agent security. SOC 2 is broader. ASI04 compliance helps demonstrate SOC 2 controls for agent-related systems.
"What about ASI01-ASI03 and ASI05-ASI06?"
Answer:
- ASI01-ASI03: Agent infrastructure security (infrastructure focus)
- ASI04: Tool/skill security (SkillShield's focus)
- ASI05: Agent communication security (network/crypto focus)
- ASI06: Agent identity and access management (IAM focus)
The Bottom Line
OWASP ASI04 is the emerging standard for agent tool security.
SkillShield provides:
- ✅ Direct compliance with 4/6 requirements
- ⚠️ Partial coverage (baselines) for 2/6 requirements
- ✅ Full compliance achievable with ClawMoat integration
Key advantages:
- Pre-deployment scanning (ASI04.1)
- Supply chain verification (ASI04.2)
- Permission analysis (ASI04.4)
- Audit logging (ASI04.6)
For enterprise deployments: Pair SkillShield with ClawMoat for complete ASI04 coverage.
Resources
- OWASP ASI04 Standard: owasp.org/www-project-agent-security-initiative/
- SkillShield ASI04 Docs: docs.skillshield.dev/compliance/owasp-asi04
- ClawMoat Runtime Protection: github.com/clawmoat/clawmoat
- OWASP Agentic Top 10: owasp.org/www-project-agentic-top-10/
Questions? [email protected]
Catch risky skills before they run.
SkillShield scans skills, MCP servers, and prompt-bearing tool surfaces before they reach production.
Get early access