Dosu Logo
Home
Documents
owasp-mapping
owasp-mapping
Type
External
Status
Published
Created
Mar 25, 2026
Updated
Apr 4, 2026
Updated by
Dosu Bot

OWASP Agentic Top 10: Pipelock Coverage#

How Pipelock addresses the OWASP Top 10 for Agentic Applications (2026).

See also: OWASP AIVSS coverage mapping for Pipelock's coverage against the AIVSS v0.8 scoring framework (all 10 Agentic AI Core Security Risks).

Note: Coverage levels reflect architectural capabilities against known attack patterns, not guarantees of threat prevention. "Strong" means the feature addresses the threat effectively for known techniques. "Partial" means it contributes but is not sufficient alone. No security tool prevents all instances of any threat class. This mapping is for informational purposes and does not constitute compliance certification.

ThreatCoverageStatus
ASI01 Agent Goal HijackStrongShipped
ASI02 Tool MisusePartialShipped
ASI03 Identity & Privilege AbuseStrongShipped
ASI04 Supply Chain VulnerabilitiesPartialShipped
ASI05 Unexpected Code ExecutionModerateShipped
ASI06 Memory & Context PoisoningModerateShipped
ASI07 Insecure Inter-Agent CommunicationPartialShipped
ASI08 Cascading FailuresModerateShipped
ASI09 Human-Agent Trust ExploitationPartialShipped
ASI10 Rogue AgentsStrongShipped

ASI01: Agent Goal Hijack#

Threat: Attackers redirect agent objectives through malicious text in external data (web pages, tool results, documents).

Pipelock coverage:

  • Response scanning: fetched web content is scanned for prompt injection patterns before reaching the agent. Actions: block (reject entirely), strip (redact matched text), warn (log and pass through), ask (human approval).
  • MCP response scanning: pipelock mcp proxy wraps MCP servers and scans JSON-RPC tool results through the same injection detector. Text is concatenated across content blocks, catching injection split across multiple blocks.
  • MCP input scanning: client requests are scanned for injection patterns in tool arguments before reaching the MCP server. Catches injection payloads being sent to tools, not just returned from them. Actions: block or warn (no ask, since input scanning runs on the request path with no terminal interaction).
  • Pattern matching: detects "ignore previous instructions," system/role overrides, jailbreak templates (DAN, developer mode), and multi-language variants.

Configuration:

response_scanning:
  enabled: true
  action: block # block, strip, warn, or ask
  # 25 patterns ship by default (prompt injection, system override,
  # role override, jailbreak, credential solicitation, etc). Example:
  patterns:
    - name: "Prompt Injection"
      regex: '(?i)(ignore|disregard|forget)\s+(all\s+)?(previous|prior|above)\s+(instructions|prompts|rules|context)'

Use pipelock generate config --preset balanced for the complete default pattern set.

Gap: Regex-based detection can miss novel injection patterns. Future: classifier-based detection (see roadmap).

ASI02: Tool Misuse#

Threat: Agents misuse legitimate tools due to prompt injection, misalignment, or unsafe delegation, calling tools with destructive parameters or chaining tools in unexpected ways.

Pipelock coverage:

  • Fetch proxy as a controlled tool: instead of giving agents raw curl/fetch, the proxy is the only network tool. Every request goes through the full scanner pipeline.
  • MCP response scanning: tool results from MCP servers are scanned for injection payloads before the agent processes them.
  • MCP input scanning: client requests are scanned for DLP leaks and injection in tool arguments before reaching the server. Catches secrets or injection payloads being passed as tool call parameters.
  • MCP tool scanning: tools/list responses are scanned for poisoned descriptions containing hidden instructions. SHA256 baseline per session detects rug-pull definition changes.
  • Input validation: URLs are validated, parsed, and scanned before any HTTP request is made. Malformed URLs are rejected.

Gap: Pipelock controls the HTTP fetch tool, scans MCP traffic bidirectionally (requests, responses, and tool definitions), and with sandbox mode restricts filesystem and network access at the OS level (Landlock + network namespaces + seccomp). Shell command content is inspected via tool policy rules with obfuscation detection. Pipelock does not monitor in-process agent memory or context window manipulation.

ASI03: Identity & Privilege Abuse#

Threat: Attackers exploit inherited or cached credentials, delegated permissions, or agent-to-agent trust to access resources beyond intended scope.

Pipelock coverage:

  • Capability separation: the agent process (which holds secrets) runs in a network-restricted environment. The fetch proxy (which has network access) holds no agent secrets. Deployment (Docker, Kubernetes NetworkPolicy) enforces the boundary. Neither process has both capabilities.
  • Domain allowlisting: the agent can only reach explicitly allowed API endpoints (e.g., *.anthropic.com, github.com).
  • SSRF protection: blocks requests to internal/private IP ranges (RFC 1918, link-local, loopback) with DNS rebinding prevention. Custom DialContext resolves DNS and validates all returned IPs before connecting.
  • Docker Compose isolation: pipelock generate docker-compose creates a network topology where the agent container has no direct internet access.

ASI04: Supply Chain Vulnerabilities#

Threat: Malicious or tampered tools, skill packages, models, or agent personas compromise execution.

Pipelock coverage:

  • Workspace integrity monitoring: SHA256 manifests detect any file modification, addition, or removal in the workspace. A compromised skill that modifies config files is detected.
  • MCP response scanning: compromised MCP servers that inject prompt injection payloads into tool results are detected.
  • MCP tool scanning: tools/list responses are scanned for poisoned tool descriptions (hidden instructions, file exfiltration directives, cross-tool manipulation). SHA256 baseline detects rug-pull changes to tool definitions mid-session.
  • Ed25519 signing: files and manifests can be signed for tamper-evident verification. Unsigned or re-signed files are flagged.

Gap: No dependency scanning (use Trivy or Dependabot for that). No MCP server identity verification yet.

ASI05: Unexpected Code Execution#

Threat: Agents generate or execute attacker-controlled code, either directly or through manipulated tool outputs.

Pipelock coverage:

  • MCP proxy scanning: pipelock mcp proxy scans tool results before the agent sees them, catching injection payloads that could trick agents into executing malicious code.
  • Content extraction: HTML is converted to clean text via go-readability, removing scripts, styles, and other executable content from fetched pages.
  • DLP pattern matching: detects API key formats in URLs and request bodies, which can indicate code execution results leaking secrets.

Gap: With sandbox mode, pipelock restricts filesystem, network, and syscall access for the agent process (Landlock + network namespaces + seccomp). However, code running inside the allowed filesystem paths with allowed syscalls is not semantically analyzed — pipelock does not interpret what code does, only where it can reach.

ASI06: Memory & Context Poisoning#

Threat: Attackers corrupt the data sources an agent relies on for knowledge and decision-making, leading to flawed or malicious outcomes.

Pipelock coverage:

  • Response scanning: fetched web content (the most common knowledge source for coding agents) is scanned for injection before entering the agent's context.
  • Content extraction: go-readability strips non-content elements, reducing the attack surface of fetched pages.
  • Workspace integrity monitoring: detects unauthorized modifications to memory files, config files, and other workspace data the agent reads.

Gap: No semantic analysis of retrieved content. Pipelock detects pattern-based injection but not subtly misleading information.

ASI07: Insecure Inter-Agent Communication#

Threat: Agents in a multi-agent system attack each other through shared resources, message passing, or lateral movement through workspace files.

Pipelock coverage:

  • Multi-agent identification: each agent gets a named profile with independent mode, allowlist, DLP, rate limits, and budget. Identity resolution via listener binding (spoof-proof), X-Pipelock-Agent header, or ?agent= query param. All audit log entries include the agent name, enabling per-agent monitoring.
  • File integrity monitoring: pipelock integrity init/check/update detects unauthorized workspace modifications. An agent that tampers with shared handoff files is detected.
  • Ed25519 signing: agents can sign and verify files/manifests. Tampered content is cryptographically detectable.
  • MCP confused deputy protection: response ID validation ensures a malicious MCP server cannot inject unsolicited JSON-RPC responses to hijack agent execution flow. Outbound request IDs are tracked and inbound responses are validated against them (one-shot consumption prevents replay).

Gap: No runtime inter-agent communication policy yet. See roadmap issue #44.

ASI08: Cascading Failures#

Threat: Failures propagate through agent chains. One agent's error or compromise triggers failures in downstream agents.

Pipelock coverage:

  • Per-domain rate limiting: sliding window rate limiter prevents bulk requests from one agent overwhelming external services.
  • Response size limits: max_response_mb caps the size of fetched content, preventing memory exhaustion.
  • Request timeouts: configurable per-request timeout prevents hanging connections that block agent pipelines.
  • Structured logging: every request is logged with zerolog, enabling rapid diagnosis of failure chains across agents.

Gap: No circuit-breaker pattern or agent-level health checks yet.

ASI09: Human-Agent Trust Exploitation#

Threat: Attackers exploit the trust humans place in agent outputs, using agents as intermediaries to deliver manipulated content or unauthorized actions.

Pipelock coverage:

  • HITL terminal approval: action: ask prompts the human operator with a terminal y/N/s dialog when suspicious content is detected. The human can approve, deny, or strip before the request proceeds.
  • Audit logging: every request and scanner detection is logged, giving humans a verifiable record to review.
  • Prometheus metrics: /metrics and /stats endpoints surface block rates, scanner hits, and top domains for human oversight dashboards.

Gap: No user-facing UI for non-terminal environments. HITL is terminal-only.

ASI10: Rogue Agents#

Threat: Agents act outside their intended boundaries due to compromised objectives, misalignment, or adversarial manipulation.

Pipelock coverage:

  • Principle of least privilege: the agent only reaches allowed API domains. Everything else is blocked.
  • Capability separation: the agent process has no direct network access. Only the proxy (which holds no agent secrets) can reach the internet. Deployment enforces the network boundary.
  • Configurable enforcement modes: strict (block on detection, tight thresholds), balanced (warn on detection, default thresholds), audit (detect and log without blocking).
  • Domain blocklist: known exfiltration targets (pastebin, transfer.sh) are explicitly blocked.
  • Rate limiting: per-domain sliding window prevents bulk data transfer even to allowed domains.
  • Environment variable leak detection: detects the proxy's own env var values in outbound traffic (raw + base64).
  • Entropy analysis: flags high-entropy strings that look like encoded secrets.
  • URL length limits: unusually long URLs (potential data exfiltration) are flagged.

Summary#

Pipelock provides strong coverage for 3/10 OWASP Agentic threats (ASI01, ASI03, ASI10), moderate coverage for 3/10 (ASI05, ASI06, ASI08), and partial coverage for 4/10 (ASI02, ASI04, ASI07, ASI09). The primary gaps are in inter-agent communication policy (ASI07, roadmap) and semantic content analysis (ASI06).

No single tool covers all 10 threats. Pipelock covers network egress + content inspection + process containment + workspace integrity. For complementary shell-level policy, see agentsh. See comparison.md for a full feature matrix.