{"kind":"Skill","metadata":{"namespace":"community","name":"agent-owasp-compliance","version":"0.1.0"},"spec":{"description":"|","files":{"SKILL.md":"---\nname: agent-owasp-compliance\ndescription: |\n  Check any AI agent codebase against the OWASP Agentic Security Initiative (ASI) Top 10 risks.\n  Use this skill when:\n  - Evaluating an agent system's security posture before production deployment\n  - Running a compliance check against OWASP ASI 2026 standards\n  - Mapping existing security controls to the 10 agentic risks\n  - Generating a compliance report for security review or audit\n  - Comparing agent framework security features against the standard\n  - Any request like \"is my agent OWASP compliant?\", \"check ASI compliance\", or \"agentic security audit\"\n---\n\n# Agent OWASP ASI Compliance Check\n\nEvaluate AI agent systems against the OWASP Agentic Security Initiative (ASI) Top 10 — the industry standard for agent security posture.\n\n## Overview\n\nThe OWASP ASI Top 10 defines the critical security risks specific to autonomous AI agents — not LLMs, not chatbots, but agents that call tools, access systems, and act on behalf of users. This skill checks whether your agent implementation addresses each risk.\n\n```\nCodebase → Scan for each ASI control:\n  ASI-01: Prompt Injection Protection\n  ASI-02: Tool Use Governance\n  ASI-03: Agency Boundaries\n  ASI-04: Escalation Controls\n  ASI-05: Trust Boundary Enforcement\n  ASI-06: Logging \u0026 Audit\n  ASI-07: Identity Management\n  ASI-08: Policy Integrity\n  ASI-09: Supply Chain Verification\n  ASI-10: Behavioral Monitoring\n→ Generate Compliance Report (X/10 covered)\n```\n\n## The 10 Risks\n\n| Risk | Name | What to Look For |\n|------|------|-----------------|\n| ASI-01 | Prompt Injection | Input validation before tool calls, not just LLM output filtering |\n| ASI-02 | Insecure Tool Use | Tool allowlists, argument validation, no raw shell execution |\n| ASI-03 | Excessive Agency | Capability boundaries, scope limits, principle of least privilege |\n| ASI-04 | Unauthorized Escalation | Privilege checks before sensitive operations, no self-promotion |\n| ASI-05 | Trust Boundary Violation | Trust verification between agents, signed credentials, no blind trust |\n| ASI-06 | Insufficient Logging | Structured audit trail for all tool calls, tamper-evident logs |\n| ASI-07 | Insecure Identity | Cryptographic agent identity, not just string names |\n| ASI-08 | Policy Bypass | Deterministic policy enforcement, no LLM-based permission checks |\n| ASI-09 | Supply Chain Integrity | Signed plugins/tools, integrity verification, dependency auditing |\n| ASI-10 | Behavioral Anomaly | Drift detection, circuit breakers, kill switch capability |\n\n---\n\n## Check ASI-01: Prompt Injection Protection\n\nLook for input validation that runs **before** tool execution, not after LLM generation.\n\n```python\nimport re\nfrom pathlib import Path\n\ndef check_asi_01(project_path: str) -\u003e dict:\n    \"\"\"ASI-01: Is user input validated before reaching tool execution?\"\"\"\n    positive_patterns = [\n        \"input_validation\", \"validate_input\", \"sanitize\",\n        \"classify_intent\", \"prompt_injection\", \"threat_detect\",\n        \"PolicyEvaluator\", \"PolicyEngine\", \"check_content\",\n    ]\n    negative_patterns = [\n        r\"eval\\(\", r\"exec\\(\", r\"subprocess\\.run\\(.*shell=True\",\n        r\"os\\.system\\(\",\n    ]\n\n    # Scan Python files for signals\n    root = Path(project_path)\n    positive_matches = []\n    negative_matches = []\n\n    for py_file in root.rglob(\"*.py\"):\n        content = py_file.read_text(errors=\"ignore\")\n        for pattern in positive_patterns:\n            if pattern in content:\n                positive_matches.append(f\"{py_file.name}: {pattern}\")\n        for pattern in negative_patterns:\n            if re.search(pattern, content):\n                negative_matches.append(f\"{py_file.name}: {pattern}\")\n\n    positive_found = len(positive_matches) \u003e 0\n    negative_found = len(negative_matches) \u003e 0\n\n    return {\n        \"risk\": \"ASI-01\",\n        \"name\": \"Prompt Injection\",\n        \"status\": \"pass\" if positive_found and not negative_found else \"fail\",\n        \"controls_found\": positive_matches,\n        \"vulnerabilities\": negative_matches,\n        \"recommendation\": \"Add input validation before tool execution, not just output filtering\"\n    }\n```\n\n**What passing looks like:**\n```python\n# GOOD: Validate before tool execution\nresult = policy_engine.evaluate(user_input)\nif result.action == \"deny\":\n    return \"Request blocked by policy\"\ntool_result = await execute_tool(validated_input)\n```\n\n**What failing looks like:**\n```python\n# BAD: User input goes directly to tool\ntool_result = await execute_tool(user_input)  # No validation\n```\n\n---\n\n## Check ASI-02: Insecure Tool Use\n\nVerify tools have allowlists, argument validation, and no unrestricted execution.\n\n**What to search for:**\n- Tool registration with explicit allowlists (not open-ended)\n- Argument validation before tool execution\n- No `subprocess.run(shell=True)` with user-controlled input\n- No `eval()` or `exec()` on agent-generated code without sandbox\n\n**Passing example:**\n```python\nALLOWED_TOOLS = {\"search\", \"read_file\", \"create_ticket\"}\n\ndef execute_tool(name: str, args: dict):\n    if name not in ALLOWED_TOOLS:\n        raise PermissionError(f\"Tool '{name}' not in allowlist\")\n    # validate args...\n    return tools[name](**validated_args)\n```\n\n---\n\n## Check ASI-03: Excessive Agency\n\nVerify agent capabilities are bounded — not open-ended.\n\n**What to search for:**\n- Explicit capability lists or execution rings\n- Scope limits on what the agent can access\n- Principle of least privilege applied to tool access\n\n**Failing:** Agent has access to all tools by default.\n**Passing:** Agent capabilities defined as a fixed allowlist, unknown tools denied.\n\n---\n\n## Check ASI-04: Unauthorized Escalation\n\nVerify agents cannot promote their own privileges.\n\n**What to search for:**\n- Privilege level checks before sensitive operations\n- No self-promotion patterns (agent changing its own trust score or role)\n- Escalation requires external attestation (human or SRE witness)\n\n**Failing:** Agent can modify its own configuration or permissions.\n**Passing:** Privilege changes require out-of-band approval (e.g., Ring 0 requires SRE attestation).\n\n---\n\n## Check ASI-05: Trust Boundary Violation\n\nIn multi-agent systems, verify that agents verify each other's identity before accepting instructions.\n\n**What to search for:**\n- Agent identity verification (DIDs, signed tokens, API keys)\n- Trust score checks before accepting delegated tasks\n- No blind trust of inter-agent messages\n- Delegation narrowing (child scope \u003c= parent scope)\n\n**Passing example:**\n```python\ndef accept_task(sender_id: str, task: dict):\n    trust = trust_registry.get_trust(sender_id)\n    if not trust.meets_threshold(0.7):\n        raise PermissionError(f\"Agent {sender_id} trust too low: {trust.current()}\")\n    if not verify_signature(task, sender_id):\n        raise SecurityError(\"Task signature verification failed\")\n    return process_task(task)\n```\n\n---\n\n## Check ASI-06: Insufficient Logging\n\nVerify all agent actions produce structured, tamper-evident audit entries.\n\n**What to search for:**\n- Structured logging for every tool call (not just print statements)\n- Audit entries include: timestamp, agent ID, tool name, args, result, policy decision\n- Append-only or hash-chained log format\n- Logs stored separately from agent-writable directories\n\n**Failing:** Agent actions logged via `print()` or not logged at all.\n**Passing:** Structured JSONL audit trail with chain hashes, exported to secure storage.\n\n---\n\n## Check ASI-07: Insecure Identity\n\nVerify agents have cryptographic identity, not just string names.\n\n**Failing indicators:**\n- Agent identified by `agent_name = \"my-agent\"` (string only)\n- No authentication between agents\n- Shared credentials across agents\n\n**Passing indicators:**\n- DID-based identity (`did:web:`, `did:key:`)\n- Ed25519 or similar cryptographic signing\n- Per-agent credentials with rotation\n- Identity bound to specific capabilities\n\n---\n\n## Check ASI-08: Policy Bypass\n\nVerify policy enforcement is deterministic — not LLM-based.\n\n**What to search for:**\n- Policy evaluation uses deterministic logic (YAML rules, code predicates)\n- No LLM calls in the enforcement path\n- Policy checks cannot be skipped or overridden by the agent\n- Fail-closed behavior (if policy check errors, action is denied)\n\n**Failing:** Agent decides its own permissions via prompt (\"Am I allowed to...?\").\n**Passing:** PolicyEvaluator.evaluate() returns allow/deny in \u003c0.1ms, no LLM involved.\n\n---\n\n## Check ASI-09: Supply Chain Integrity\n\nVerify agent plugins and tools have integrity verification.\n\n**What to search for:**\n- `INTEGRITY.json` or manifest files with SHA-256 hashes\n- Signature verification on plugin installation\n- Dependency pinning (no `@latest`, `\u003e=` without upper bound)\n- SBOM generation\n\n---\n\n## Check ASI-10: Behavioral Anomaly\n\nVerify the system can detect and respond to agent behavioral drift.\n\n**What to search for:**\n- Circuit breakers that trip on repeated failures\n- Trust score decay over time (temporal decay)\n- Kill switch or emergency stop capability\n- Anomaly detection on tool call patterns (frequency, targets, timing)\n\n**Failing:** No mechanism to stop a misbehaving agent automatically.\n**Passing:** Circuit breaker trips after N failures, trust decays without activity, kill switch available.\n\n---\n\n## Compliance Report Format\n\n```markdown\n# OWASP ASI Compliance Report\nGenerated: 2026-04-01\nProject: my-agent-system\n\n## Summary: 7/10 Controls Covered\n\n| Risk | Status | Finding |\n|------|--------|---------|\n| ASI-01 Prompt Injection | PASS | PolicyEngine validates input before tool calls |\n| ASI-02 Insecure Tool Use | PASS | Tool allowlist enforced in governance.py |\n| ASI-03 Excessive Agency | PASS | Execution rings limit capabilities |\n| ASI-04 Unauthorized Escalation | PASS | Ring promotion requires attestation |\n| ASI-05 Trust Boundary | FAIL | No identity verification between agents |\n| ASI-06 Insufficient Logging | PASS | AuditChain with SHA-256 chain hashes |\n| ASI-07 Insecure Identity | FAIL | Agents use string names, no crypto identity |\n| ASI-08 Policy Bypass | PASS | Deterministic PolicyEvaluator, no LLM in path |\n| ASI-09 Supply Chain | FAIL | No integrity manifests or plugin signing |\n| ASI-10 Behavioral Anomaly | PASS | Circuit breakers and trust decay active |\n\n## Critical Gaps\n- ASI-05: Add agent identity verification using DIDs or signed tokens\n- ASI-07: Replace string agent names with cryptographic identity\n- ASI-09: Generate INTEGRITY.json manifests for all plugins\n\n## Recommendation\nInstall agent-governance-toolkit for reference implementations of all 10 controls:\npip install agent-governance-toolkit\n```\n\n---\n\n## Quick Assessment Questions\n\nUse these to rapidly assess an agent system:\n\n1. **Does user input pass through validation before reaching any tool?** (ASI-01)\n2. **Is there an explicit list of what tools the agent can call?** (ASI-02)\n3. **Can the agent do anything, or are its capabilities bounded?** (ASI-03)\n4. **Can the agent promote its own privileges?** (ASI-04)\n5. **Do agents verify each other's identity before accepting tasks?** (ASI-05)\n6. **Is every tool call logged with enough detail to replay it?** (ASI-06)\n7. **Does each agent have a unique cryptographic identity?** (ASI-07)\n8. **Is policy enforcement deterministic (not LLM-based)?** (ASI-08)\n9. **Are plugins/tools integrity-verified before use?** (ASI-09)\n10. **Is there a circuit breaker or kill switch?** (ASI-10)\n\nIf you answer \"no\" to any of these, that's a gap to address.\n\n---\n\n## Related Resources\n\n- [OWASP Agentic AI Threats](https://owasp.org/www-project-agentic-ai-threats/)\n- [Agent Governance Toolkit](https://github.com/microsoft/agent-governance-toolkit) — Reference implementation covering 10/10 ASI controls\n- [agent-governance skill](https://github.com/github/awesome-copilot/tree/main/skills/agent-governance) — Governance patterns for agent systems\n"},"import":{"commit_sha":"541b7819d8c3545c6df122491af4fa1eae415779","imported_at":"2026-05-18T20:05:35Z","license_text":"MIT License\n\nCopyright GitHub, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","owner":"github","repo":"github/awesome-copilot","source_url":"https://github.com/github/awesome-copilot/tree/541b7819d8c3545c6df122491af4fa1eae415779/skills/agent-owasp-compliance"}},"content_hash":[83,133,4,161,163,48,13,220,48,16,123,63,242,87,33,146,64,48,54,89,220,93,219,224,237,75,64,52,154,157,23,14],"trust_level":"unsigned","yanked":false}