SkillShield vs. the OWASP Agentic Top 10: Which ASI Risks Does It Catch?
SkillShield Research Team
Security Research
OWASP released the Top 10 for Agentic Applications in late 2025, and it's already the canonical reference for AI agent security. Developed by 100+ industry experts, researchers, and practitioners, the framework names ten risk categories (ASI01 through ASI10) that every team building autonomous AI systems needs to understand.
ASI04 — Agentic Supply Chain Vulnerabilities — explicitly calls out compromised MCP servers, poisoned plugins, and malicious tool registries as attack vectors. This is exactly what SkillShield was built to scan for.
But what about the other nine? Here's an honest mapping of each ASI risk category to SkillShield's current capabilities: what it catches, what it partially covers, and what falls outside its scanning surface.
The Full Mapping
| ASI | Risk | SkillShield Coverage |
|---|---|---|
| ASI01 | Agent Goal Hijack | Partial |
| ASI02 | Tool Misuse and Exploitation | Direct |
| ASI03 | Identity and Privilege Abuse | Partial |
| ASI04 | Agentic Supply Chain Vulnerabilities | Full |
| ASI05 | Unexpected Code Execution | Partial |
| ASI06 | Memory and Context Poisoning | Out of scope |
| ASI07 | Insecure Inter-Agent Communication | Out of scope |
| ASI08 | Cascading Failures | Informational |
| ASI09 | Human-Agent Trust Exploitation | Indirect |
| ASI10 | Rogue Agents | Indirect |
Let's walk through each one.
ASI04 — Agentic Supply Chain Vulnerabilities (Full Coverage)
This is SkillShield's centerpiece and the reason the product exists.
OWASP defines ASI04 as the risk from compromised components in the agentic supply chain: tools, plugins, prompt templates, model files, external MCP servers, and other agents. Many of these are fetched dynamically at runtime. A single compromised component can alter agent behavior or exfiltrate data.
What SkillShield catches:
- Malicious MCP servers — SkillShield has scanned 33,746 AI extensions across six registries (ClawHub, SkillsMP, Skills.lc, MCP Registry, MCPMarket, Awesome MCP). 533 malicious entries blocked at a 99.8% detection rate.
- Poisoned tool descriptions — Tool descriptions that contain hidden instructions, data exfiltration commands, or cross-tool manipulation directives are flagged during static analysis.
- Dependency and typosquatting risks — The scanner identifies skills that impersonate trusted packages or reference suspicious dependencies.
- Unsigned and unverified components — The scored directory provides a trust baseline, so you can compare before installing.
OWASP's recommended mitigations for ASI04 include signed manifests, curated registries, dependency pinning, sandboxing, and kill switches. SkillShield provides the curated registry and pre-installation scanning layers. It doesn't handle runtime kill switches or dynamic sandboxing — those are enforcement-layer concerns.
Bottom line: If you're using MCP servers or AI skills from any public registry, SkillShield is the scanning layer OWASP ASI04 describes. No other tool currently occupies this position.
ASI02 — Tool Misuse and Exploitation (Direct Coverage)
Tool Misuse occurs when an agent uses legitimate tools in unsafe ways — calling tools with destructive parameters, chaining tools in unexpected sequences, or executing commands from poisoned tool descriptors.
What SkillShield catches:
- Over-permissioned tool schemas — Skills that request unrestricted filesystem access, network access, or shell execution are flagged. SkillShield scores permission scope and highlights tools that ask for more access than their stated function requires.
- Tool poisoning via descriptions — The scanner specifically detects malicious instructions hidden in tool descriptions, which is one of the primary vectors for tool misuse in agentic systems.
- Dangerous parameter patterns — Tool schemas that accept unvalidated paths, shell commands, or URLs without constraints are identified.
What falls outside: SkillShield scans tools before they run. It does not monitor runtime tool invocations, enforce argument validation at call time, or sandbox execution. Runtime enforcement requires a complementary layer like containerized execution or policy engines.
ASI03 — Identity and Privilege Abuse (Partial Coverage)
Agents often inherit user or system identities — credentials, session tokens, delegated access. ASI03 covers the risk of these privileges being reused, escalated, or passed across agents without proper scoping.
What SkillShield catches:
- Hard-coded secrets — The scanner detects API keys, tokens, passwords, and other credentials embedded in SKILL.md files, tool configurations, and MCP server manifests.
- Excessive permission requests — Skills requesting broad filesystem access, environment variable reads, or credential store access are flagged with specific findings.
What falls outside: Runtime identity management, credential rotation, cross-agent delegation scoping, and session token lifecycle management are all runtime concerns outside SkillShield's static analysis surface.
ASI01 — Agent Goal Hijack (Partial Coverage)
Agent Goal Hijack occurs when an attacker alters an agent's objectives through malicious content — poisoned documents, emails, PDFs, or tool descriptions that contain hidden instructions.
What SkillShield catches:
- Prompt injection in tool descriptions — SkillShield's prompt injection testing specifically targets the tool description vector, where hidden instructions in SKILL.md files or MCP server tool definitions can redirect agent behavior. This is one of the primary delivery mechanisms for goal hijacking.
What falls outside: Goal hijacking through RAG documents, email content, calendar invites, web pages, or other runtime data sources is outside SkillShield's scanning surface. SkillShield scans the supply chain entry point, not the runtime data entry point.
ASI05 — Unexpected Code Execution (Partial Coverage)
Unexpected Code Execution covers agents generating or running code unsafely — shell commands, scripts, template evaluation, or deserialization triggered through generated output.
What SkillShield catches:
- Dangerous execution patterns in skills — Skills that contain direct eval, exec, shell invocation, or deserialization patterns are flagged.
- Sandbox escape indicators — Patterns suggesting attempts to break out of constrained execution environments are identified during scanning.
- Path traversal vulnerabilities — Tool schemas with path traversal risks in their input parameters are detected.
What falls outside: Runtime code generation by the agent itself, dynamic script evaluation, or code execution triggered by prompt injection at runtime. SkillShield catches dangerous patterns in the skill definition, not in agent-generated output.
ASI06 — Memory and Context Poisoning (Out of Scope)
Memory and Context Poisoning involves attacking an agent's memory systems — RAG databases, embeddings, conversation summaries — to influence future decisions.
SkillShield does not scan memory systems, RAG databases, or embedding stores. This is a runtime data integrity concern, not a supply chain scanning concern. Tools like provenance tracking, memory segmentation, and ingestion filtering address ASI06.
ASI07 — Insecure Inter-Agent Communication (Out of Scope)
ASI07 covers message tampering, spoofed agent identities, and replay attacks in multi-agent communication channels.
SkillShield does not inspect or secure inter-agent communication protocols. This is a network and protocol security concern addressed by mutual TLS, signed payloads, and authenticated discovery mechanisms.
ASI08 — Cascading Failures (Informational)
Cascading Failures occur when a small error in one agent propagates across planning, execution, memory, and downstream systems.
SkillShield contributes to prevention of cascading failures by catching malicious or vulnerable skills before they're installed. A poisoned skill that's blocked at the supply chain layer can't trigger a cascade downstream. But SkillShield does not provide runtime circuit breakers, rate limits, or isolation boundaries — those are operational controls.
ASI09 — Human-Agent Trust Exploitation (Indirect)
Users over-trust agent recommendations. ASI09 covers attackers or misaligned agents exploiting this trust to influence decisions or extract information.
SkillShield contributes indirectly through its trust scoring system. The scored directory gives users visible security ratings before they install a skill, replacing blind trust with informed decisions. A coding assistant that installs a skill SkillShield flagged as malicious is harder to trust blindly when the warning is visible.
This is not a direct mitigation — it's a trust-signal layer. Forced confirmations, immutable logs, and risk indicators in the agent UI are the direct mitigations for ASI09.
ASI10 — Rogue Agents (Indirect)
Rogue Agents are compromised or misaligned agents that act harmfully while appearing legitimate. They may persist across sessions, self-replicate actions, or impersonate other agents.
SkillShield's supply chain scanning can catch one pathway to rogue agent creation: a malicious skill or MCP server that compromises an otherwise legitimate agent. If the skill is blocked before installation, the agent stays clean. But behavioral monitoring, governance controls, and kill switches for running agents are outside SkillShield's scope.
What This Means for Your Security Stack
SkillShield directly addresses 3 of the 10 ASI categories (ASI02, ASI03, ASI04) and partially covers 2 more (ASI01, ASI05). The remaining 5 categories require runtime security controls — memory integrity, communication security, operational circuit breakers, trust UX, and agent governance.
No single tool covers all ten. That's the point of a Top 10 — it maps the landscape, not a single product's feature set.
Here's what a practical stack looks like:
| Layer | ASI Categories | Example Tools |
|---|---|---|
| Supply chain scanning | ASI01, ASI02, ASI03, ASI04, ASI05 | SkillShield |
| Runtime sandboxing | ASI02, ASI05, ASI10 | Container isolation, policy engines |
| Identity and access management | ASI03, ASI10 | Short-lived credentials, task-scoped permissions |
| Data integrity | ASI06 | RAG provenance tracking, memory segmentation |
| Communication security | ASI07 | Mutual TLS, signed payloads |
| Operational controls | ASI08, ASI09, ASI10 | Circuit breakers, forced confirmations, kill switches |
SkillShield is the pre-installation layer. It catches threats before they enter your agent's execution environment. Runtime layers handle what happens after.
Get Started
Scan your MCP servers and AI skills against the risks OWASP identified:
- Browse the scored directory — 33,746 extensions pre-scanned
- Scan an MCP server — Free security scans
- Install the CLI —
npm install -g skillshield
The OWASP Agentic Top 10 is the benchmark. SkillShield is how you check against ASI04.
The full OWASP Top 10 for Agentic Applications is available at genai.owasp.org.
Sources
- OWASP Top 10 for Agentic Applications 2026: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
- SkillShield scored directory: https://skillshield.dev/#browse
- SkillShield free MCP scanner: https://skillshield.dev/mcp
- SkillShield CLI: https://skillshield.dev/#use-skillshield
Catch risky skills before they run.
SkillShield scans skills, MCP servers, and prompt-bearing tool surfaces before they reach production.
Get early access