Releases: dockfixlabs/agentguard
Release list
v0.6.8 - Steganographic Command Injection
ASI-STEGANO-INJECT: 6th novel rule. 19 rules, 102 tests, 50 benchmark.
Full Changelog: v0.6.6...v0.6.8
v0.6.6 - 50 Benchmark Samples
50 benchmark samples. 100% detection. 0 false positives.
Full Changelog: v0.6.5...v0.6.6
v0.6.5 - Adversarial Review Hardened
35-point adversarial self-review: 0 real detection failures. Fixed JS camelCase taint tracking.
Full Changelog: v0.6.4...v0.6.5
v0.6.4 - Multi-Agent Collusion + Benchmark Fix
v0.6.4
- ASI-AGENT-COLLUSION: 4th novel rule beyond OWASP ASI
- Fixed agent_result missing from memory poison TAINT_RE
- 90 tests, 17 rules, 39 benchmark samples (100% detection, 0 FP)
4 novel attack vectors beyond OWASP: Memory Poisoning, Tool Output Trust, Action Chain Amplification, Multi-Agent Collusion
Full Changelog: v0.6.3...v0.6.4
v0.6.3 - Multi-Agent Collusion Detection
v0.6.3 - Multi-Agent Collusion Detection (ASI-AGENT-COLLUSION)
4th novel rule beyond OWASP ASI Top 10. Detects multi-agent collusion patterns where agents conspire through shared state, unvalidated inter-agent communication, or common memory without trust verification.
17 detection rules. 90 tests. 39 benchmark samples.
GitHub: https://github.com/dockfixlabs/agentguard
Full Changelog: v0.6.2...v0.6.3
v0.6.2 - Action Chain Amplification Detection
v0.6.2 - Action Chain Amplification Detection
NEW: ASI-CHAIN-AMPLIFY
Third novel rule beyond OWASP ASI Top 10: Action Chain Amplification.
The most dangerous failure mode in autonomous agents is not a single bad action but an amplification cascade where one misstep triggers dozens of irreversible operations.
What It Detects
- For-loop batch destruction:
for f in files: os.remove(f)with unbounded source - While-true broadcasts:
while True: channel.send(msg)from agent output - ThreadPool mass operations:
ThreadPoolExecutor.map(lambda x: db.delete(x)) - Agent-result-triggered cascades:
for r in agent_result.get("resources"): cloud.delete(r)
Safety Patterns Recognized
batch_size=,max_items=,limit=N,sleep(), rate limitinghuman_in_the_loop,approval,confirmation,checkpointdry_run,preview,sandbox,test_modeif len(items),if count >,if size >
Numbers
- 83 tests (7 new)
- 16 detection rules (3 beyond OWASP ASI)
- 36 benchmark samples
Full Changelog: v0.6.1...v0.6.2
v0.6.1 - Tool Output Trust Attack Detection
v0.6.1 - Tool Output Trust Attack Detection
NEW: ASI-TOOL-TRUST
Second novel attack vector beyond OWASP ASI Top 10: Tool Output Trust.
Autonomous agents implicitly trust tool outputs as ground truth. If a compromised tool returns poisoned data, the agent executes it without question. This is how agents get exploited in production.
What It Detects
os.system(tool_output)/subprocess.run(tool_result)- command injectioneval(api_response)/exec(agent_output)- code executionopen(tool_result, "w")- file system manipulation through tool dataStep.create(agent_output)- factory/creation from unvalidated output
Sanitization Patterns Recognized
- Pydantic
model_validate()/ BaseModel assert/isinstance()type checkingbleach.clean()/html.escape()- JSON Schema / marshmallow / cerberus / attrs.validate
sanitize/validatednaming conventions
Numbers
- 76 tests (9 new)
- 15 detection rules
- 36 benchmark samples
Full Changelog: v0.6.0...v0.6.1
v0.6.0 - Agent Memory Poisoning Detection
v0.6.0 - Agent Memory Poisoning Detection
NEW: ASI-MEMORY-POISON -- Beyond OWASP ASI Top 10
First scanner to detect Agent Memory Poisoning -- a novel attack vector where untrusted data is injected into an agent's persistent memory systems, corrupting ALL future decisions.
Unlike prompt injection (single-turn), memory poisoning is PERSISTENT. Once malicious content enters the vector store, RAG knowledge base, or conversation memory, it poisons every subsequent agent interaction until the store is purged.
What It Detects
- Vector Database Poisoning: ChromaDB, Pinecone, Weaviate, Qdrant, FAISS, Milvus writes without sanitization
- LangChain Memory Corruption: ConversationBufferMemory, ConversationSummaryMemory, ConversationKGMemory, VectorStoreRetrieverMemory
- RAG Pipeline Injection: Document ingestion, text splitting, knowledge base writes
- Agent Framework Memory: update_memory(), set_memory(), add_to_memory() without validation
- Cross-Language: Python AND JavaScript/TypeScript support
Adversarial Self-Review
- 8/8 adversarial edge cases correctly handled
- Sanitization-aware: skips bleach.clean(), html.escape(), validated/escaped data paths
- Rename-not-sanitize: still flags when variable renamed without actual sanitization
Numbers
- 67 tests (8 new)
- 36 benchmark samples (100% detection, 0 FP)
- 14 detection rules
- 26 memory sink patterns across 7 vector DBs + 4 agent frameworks
Full Changelog: v0.5.7...v0.6.0
v0.5.7 - Cross-File Taint Analysis (Phase 2)
v0.5.7 - Cross-File Taint Analysis (Phase 2)
New: ASI01-CROSS-FILE rule
Tracks tainted data flowing through imported functions that call LLM APIs. Resolves from utils import call_llm patterns to find sinks in local modules.
Changes
- New module:
agentguard/rules/cross_file.py- Python import resolution - New rule:
ASI01-CROSS-FILE(Cross-File Taint Flow) - 3 new tests (59 total, all pass)
- 34/34 benchmark samples (100% detection, 0 FP)
Adversarial Review
- 8/8 adversarial edge cases correctly handled
- Tightened param-signature detection (TARGETED_PARAMS exact match)
- Removed generic words from SOURCE_WORDS (eliminated FP noise)
Full Changelog: v0.5.6...v0.5.7
v0.5.6 - Adversarial-Hardened FP Fix
v0.5.6 - Interprocedural False Positive Fix
Adversarial Self-Review Findings
Rigorous adversarial review of v0.5.5 interprocedural rule found:
- Removed "text" from SOURCE_WORDS (too generic, caused FP on instance methods)
- Tightened param-signature detection to exact-match set (TARGETED_PARAMS)
- Eliminated false positive on sanitized-after-passing pattern
- Eliminated noise on generic wrapper function params (prompt, text, data)
Result
- 56 tests pass
- 34/34 benchmark samples (100% detection, 0 FP)
- 7/7 adversarial edge cases correctly handled
Full Changelog: v0.5.5...v0.5.6