// OWASP Top 10 for Agentic Applications 2026 (ASI) classification framework. Use for mapping security findings to standardized risk categories.
A.I.G Scanner — AI security scanning for infrastructure, AI tools / skills, AI Agents, and LLM jailbreak evaluation via Tencent Zhuque Lab AI-Infra-Guard. Uses built-in exec + Python script, no plugin required. Requires AIG_BASE_URL to be configured. Triggers on: scan AI service, AI vulnerability scan, scan AI infra, check CVE, audit AI service, scan MCP, scan skills, audit AI tools, scan agent, red-team LLM, jailbreak test, 扫描AI服务, 检查AI漏洞, 扫描AI工具, 检查MCP安全, 审计Agent, 越狱测试.
The first security skill to install after setting up OpenClaw — powered by Tencent Zhuque Lab. Works like an antivirus for your AI environment: audits installed skills, scans skills before installation, and performs a full OpenClaw security health check to prevent data leaks and privacy risks. Backed by Tencent Zhuque Lab A.I.G (AI-Infra-Guard). Use when the user asks to start a security health check or security scan for the current OpenClaw environment, such as `开始安全体检`, `做一次安全体检`, `开始安全扫描`, `全面安全检查`, or `检查 OpenClaw 安全`; also use when the user asks to audit a specific skill before installation, review installed skills for supply chain risk, or investigate whether a skill is safe. Do not trigger for general OpenClaw usage, project debugging, environment setup, or normal development requests. Optional cloud mode: set AIG_CLOUD_LOOKUP=off for zero outbound HTTPS; when enabled, only skill_name, source label, and OpenClaw version are sent to A.I.G (never skill bodies, chats, or workspace files).
Detect sensitive information disclosure via escalating dialogue probes. Covers system prompt extraction, credential/API key leakage, PII, and internal configuration exposure.
Detect tool misuse and unexpected code execution via dialogue testing. Use when the agent exposes file, code-execution, or network tools.
Detect privilege escalation and unauthorized access via dialogue. Use when the agent has roles, admin functions, or multi-user data.
Detect indirect prompt injection (goal hijack). Instructions hidden in "external" content (documents, RAG, web) that the agent processes. Use when the agent has document/RAG/web/file input.
| name | owasp-asi |
| description | OWASP Top 10 for Agentic Applications 2026 (ASI) classification framework. Use for mapping security findings to standardized risk categories. |
OWASP Top 10 for Agentic Applications 2026 - Standardized risk classification for AI agent security.
| ID | Risk Type | Key Indicators |
|---|---|---|
| ASI01 | Agent Goal Hijack | Prompt injection, instruction override, goal manipulation |
| ASI02 | Tool Misuse & Exploitation | Unauthorized tool calls, parameter tampering, unvalidated inputs |
| ASI03 | Identity & Privilege Abuse | Auth bypass, permission escalation, missing authorization |
| ASI04 | Agentic Supply Chain | Malicious dependencies, compromised tools, package poisoning |
| ASI05 | Unexpected Code Execution | RCE, command injection, code evaluation |
| ASI06 | Memory & Context Poisoning | Data leakage, context manipulation, memory corruption |
| ASI07 | Insecure Inter-Agent Comm | Unencrypted channels, data exposure between agents |
| ASI08 | Cascading Failures | Error propagation, chain reaction vulnerabilities |
| ASI09 | Human-Agent Trust Exploit | Social engineering, deceptive responses |
| ASI10 | Rogue Agents | Malicious agent behavior, unauthorized actions |
| Detection Source | Type | Primary ASI | Secondary ASI |
|---|---|---|---|
data-leakage-detection | Skill | ASI06, ASI07 | ASI01, ASI03 |
tool-abuse-detection | Skill | ASI02, ASI05, ASI07 | ASI03 |
indirect-injection-detection | Skill | ASI01 | ASI06 |
authorization-bypass-detection | Skill | ASI03 | ASI09 |
| Prompt Injection tests | Dialogue | ASI01, ASI06 | ASI09 |
| Code Audit | Agent | ASI04, ASI05 | ASI10 |
| Finding Type | ASI Category | Rationale |
|---|---|---|
| API keys, tokens | ASI06 | Context contains sensitive data |
| System prompts | ASI01 | Enables goal hijacking |
| Credentials | ASI03 | Identity abuse risk |
| Internal configs | ASI04 | Supply chain exposure |
| PII exposure | ASI07 | Inter-agent data leak |
| Command injection | ASI05 | Unexpected code execution |
| Unauthorized tool calls | ASI02 | Tool misuse |
Action: Immediate remediation (within 24 hours)
Action: Urgent remediation (within 1 week)
Action: Address within 2-4 weeks
Action: Review as time permits
Load this skill when performing OWASP ASI classification:
load_skill(name="owasp-asi")
Then apply the mapping rules to classify findings.