Skip to content

Releases: dockfixlabs/agentguard

v0.6.8 - Steganographic Command Injection

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 03:28

ASI-STEGANO-INJECT: 6th novel rule. 19 rules, 102 tests, 50 benchmark.

Full Changelog: v0.6.6...v0.6.8

v0.6.6 - 50 Benchmark Samples

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 03:19

50 benchmark samples. 100% detection. 0 false positives.

Full Changelog: v0.6.5...v0.6.6

v0.6.5 - Adversarial Review Hardened

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 03:02

35-point adversarial self-review: 0 real detection failures. Fixed JS camelCase taint tracking.

Full Changelog: v0.6.4...v0.6.5

v0.6.4 - Multi-Agent Collusion + Benchmark Fix

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 02:49

v0.6.4

  • ASI-AGENT-COLLUSION: 4th novel rule beyond OWASP ASI
  • Fixed agent_result missing from memory poison TAINT_RE
  • 90 tests, 17 rules, 39 benchmark samples (100% detection, 0 FP)

4 novel attack vectors beyond OWASP: Memory Poisoning, Tool Output Trust, Action Chain Amplification, Multi-Agent Collusion

Full Changelog: v0.6.3...v0.6.4

v0.6.3 - Multi-Agent Collusion Detection

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 02:46

v0.6.3 - Multi-Agent Collusion Detection (ASI-AGENT-COLLUSION)

4th novel rule beyond OWASP ASI Top 10. Detects multi-agent collusion patterns where agents conspire through shared state, unvalidated inter-agent communication, or common memory without trust verification.

17 detection rules. 90 tests. 39 benchmark samples.

GitHub: https://github.com/dockfixlabs/agentguard

Full Changelog: v0.6.2...v0.6.3

v0.6.2 - Action Chain Amplification Detection

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 02:33

v0.6.2 - Action Chain Amplification Detection

NEW: ASI-CHAIN-AMPLIFY

Third novel rule beyond OWASP ASI Top 10: Action Chain Amplification.

The most dangerous failure mode in autonomous agents is not a single bad action but an amplification cascade where one misstep triggers dozens of irreversible operations.

What It Detects

  • For-loop batch destruction: for f in files: os.remove(f) with unbounded source
  • While-true broadcasts: while True: channel.send(msg) from agent output
  • ThreadPool mass operations: ThreadPoolExecutor.map(lambda x: db.delete(x))
  • Agent-result-triggered cascades: for r in agent_result.get("resources"): cloud.delete(r)

Safety Patterns Recognized

  • batch_size=, max_items=, limit=N, sleep(), rate limiting
  • human_in_the_loop, approval, confirmation, checkpoint
  • dry_run, preview, sandbox, test_mode
  • if len(items), if count >, if size >

Numbers

  • 83 tests (7 new)
  • 16 detection rules (3 beyond OWASP ASI)
  • 36 benchmark samples

Full Changelog: v0.6.1...v0.6.2

v0.6.1 - Tool Output Trust Attack Detection

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 02:17

v0.6.1 - Tool Output Trust Attack Detection

NEW: ASI-TOOL-TRUST

Second novel attack vector beyond OWASP ASI Top 10: Tool Output Trust.

Autonomous agents implicitly trust tool outputs as ground truth. If a compromised tool returns poisoned data, the agent executes it without question. This is how agents get exploited in production.

What It Detects

  • os.system(tool_output) / subprocess.run(tool_result) - command injection
  • eval(api_response) / exec(agent_output) - code execution
  • open(tool_result, "w") - file system manipulation through tool data
  • Step.create(agent_output) - factory/creation from unvalidated output

Sanitization Patterns Recognized

  • Pydantic model_validate() / BaseModel
  • assert / isinstance() type checking
  • bleach.clean() / html.escape()
  • JSON Schema / marshmallow / cerberus / attrs.validate
  • sanitize / validated naming conventions

Numbers

  • 76 tests (9 new)
  • 15 detection rules
  • 36 benchmark samples

Full Changelog: v0.6.0...v0.6.1

v0.6.0 - Agent Memory Poisoning Detection

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 01:55

v0.6.0 - Agent Memory Poisoning Detection

NEW: ASI-MEMORY-POISON -- Beyond OWASP ASI Top 10

First scanner to detect Agent Memory Poisoning -- a novel attack vector where untrusted data is injected into an agent's persistent memory systems, corrupting ALL future decisions.

Unlike prompt injection (single-turn), memory poisoning is PERSISTENT. Once malicious content enters the vector store, RAG knowledge base, or conversation memory, it poisons every subsequent agent interaction until the store is purged.

What It Detects

  • Vector Database Poisoning: ChromaDB, Pinecone, Weaviate, Qdrant, FAISS, Milvus writes without sanitization
  • LangChain Memory Corruption: ConversationBufferMemory, ConversationSummaryMemory, ConversationKGMemory, VectorStoreRetrieverMemory
  • RAG Pipeline Injection: Document ingestion, text splitting, knowledge base writes
  • Agent Framework Memory: update_memory(), set_memory(), add_to_memory() without validation
  • Cross-Language: Python AND JavaScript/TypeScript support

Adversarial Self-Review

  • 8/8 adversarial edge cases correctly handled
  • Sanitization-aware: skips bleach.clean(), html.escape(), validated/escaped data paths
  • Rename-not-sanitize: still flags when variable renamed without actual sanitization

Numbers

  • 67 tests (8 new)
  • 36 benchmark samples (100% detection, 0 FP)
  • 14 detection rules
  • 26 memory sink patterns across 7 vector DBs + 4 agent frameworks

Full Changelog: v0.5.7...v0.6.0

v0.5.7 - Cross-File Taint Analysis (Phase 2)

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 01:42

v0.5.7 - Cross-File Taint Analysis (Phase 2)

New: ASI01-CROSS-FILE rule

Tracks tainted data flowing through imported functions that call LLM APIs. Resolves from utils import call_llm patterns to find sinks in local modules.

Changes

  • New module: agentguard/rules/cross_file.py - Python import resolution
  • New rule: ASI01-CROSS-FILE (Cross-File Taint Flow)
  • 3 new tests (59 total, all pass)
  • 34/34 benchmark samples (100% detection, 0 FP)

Adversarial Review

  • 8/8 adversarial edge cases correctly handled
  • Tightened param-signature detection (TARGETED_PARAMS exact match)
  • Removed generic words from SOURCE_WORDS (eliminated FP noise)

Full Changelog: v0.5.6...v0.5.7

v0.5.6 - Adversarial-Hardened FP Fix

Choose a tag to compare

@dockfixlabs dockfixlabs released this 05 Jul 01:40

v0.5.6 - Interprocedural False Positive Fix

Adversarial Self-Review Findings

Rigorous adversarial review of v0.5.5 interprocedural rule found:

  • Removed "text" from SOURCE_WORDS (too generic, caused FP on instance methods)
  • Tightened param-signature detection to exact-match set (TARGETED_PARAMS)
  • Eliminated false positive on sanitized-after-passing pattern
  • Eliminated noise on generic wrapper function params (prompt, text, data)

Result

  • 56 tests pass
  • 34/34 benchmark samples (100% detection, 0 FP)
  • 7/7 adversarial edge cases correctly handled

Full Changelog: v0.5.5...v0.5.6