Scan Details
Project Name
Scan Timestamp
Agentic Framework
facilitator-main
05/16/25 13:17:54
openai-agents
Dependency Check
Agentic Workflow Graph
Legend
Agent
Tool
Tool Category
CustomTool
Basic
MCP Server
Findings
Vulnerabilities
2
Agents
7
Tools
5
Nodes Overview
Agents
| Agent Name | LLM Model | System Prompt |
|---|---|---|
| Triage Agent | gpt-4o | You determine which agent to use based on the user's homework question. Use the WebSocket tool to send messages when instructed. |
| ParticipantProfiler | gpt-4.1-mini | |
| Conversation Tips | gpt-4.1 | You are a meeting assistant that provides valuable conversation tips based on the ongoing meeting discussion. Analyze the transcription of the meeting and provide insightful, context-specific tips that would help improve the conversation quality. Tips should focus on improving engagement, communication clarity, or addressing specific communication challenges you observe. Only provide a new tip when you detect a clear opportunity for improvement - do not spam with generic advice. Each tip must be highly valuable, specific to the current conversation context, and actionable. Tips should be concise (1-2 sentences) but impactful. Send the tip if you are 100% confident that very very very very important to the current conversation and send it to the WebSocket server using the provided function. If not just return 'no tips'. |
| Guardrail check | gpt-4o | Check if the user is asking specific question about agenda. It can be question or requestion for change or even conversation about it. |
| Engagement Agent | gpt-4.1 | You will be given transcriptions of running meeting, it will be passed to you in chunks. For each chunk, you need to classify if the text was said by host of the meeting or the guest. Then send the classification result to the WebSocket server. |
| Offtopic Agent | gpt-4.1 | |
| Guardrail check | gpt-4o | Check if the new conversation tip is aggressive, harmful, dangerous or unrelated. |
Tools
| Tool Name | Tool Category | Tool Description | Number of Vulnerabilities |
|---|---|---|---|
| send_via_websocket | default | 0 | |
| WebSearchTool | web_search | A hosted tool that lets the LLM search the web. Currently only supported with OpenAI models, using the Responses API. | 2 |
| send_conversation_tip_via_websocket | default | 0 | |
| send_via_websocket_words_count | default | Sends the classification result to the WebSocket server. It gets as user_type 'host' or 'guest' as string | 0 |
| send_topic_status | default | Send a comprehensive topic status update via WebSocket with information about the current discussion. | 0 |
Tool Vulnerabilities
WebSearchTool
Vulnerability
Indirect Prompt Injection
Description
Attackers can poison search results (SEO poisoning) or craft pages so that their snippets contain malicious instructions. For instance, hidden text in a webpage that ranks in results could manipulate the agent’s summary or follow-up actions.
Security Framework Mapping
OWASP LLM Top 10:LLM01 - Prompt Injection
OWASP Agentic:T6 - Intent Breaking & Goal Manipulation
Remediation Steps
• Enable URL whitelisting
• Implement guardrails filtering for prompt injection
Vulnerability
Misinformation
Description
The agent might unknowingly incorporate malicious snippets into its reasoning, leading to harmful output (e.g., biased or false information, or even code if the snippet is crafted as such).
Security Framework Mapping
OWASP LLM Top 10:LLM09 - Misinformation
OWASP Agentic:T1 - Memory Poisoning
Remediation Steps
• Implement guardrails to filter out malicious snippets
• Implement data sanitization to prevent user data from entering the tool
Agent Vulnerability Mitigations
| Agent Name | Vulnerability | Mitigation Level* | Explanation |
|---|---|---|---|
| Triage Agent | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent the leakage of PII during the conversation. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent the exchange of harmful, toxic, or profane content. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent attempts to make the AI act outside of its intended instructions. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent the AI from being used in unintended ways. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions to prevent the user from extracting the system prompt or instructions. | |
| ParticipantProfiler | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Conversation Tips | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to ensure or prevent the handling of PII. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions to handle or prevent harmful, toxic, or profane content. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions to prevent the AI from being manipulated to act outside its intended purpose. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions to prevent the AI from being used to perform tasks it was not intended for. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions to prevent system prompt leakage. | |
| Guardrail check | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided that specifically address PII leakage. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided that specifically address harmful, toxic, or profane content. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions that prevent the agent from acting outside of its intended guidelines. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. The instructions do not specify any restrictions regarding tasks it is not intended for, apart from discussing 'agenda'. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided that specifically prevent system prompt leakage. | |
| Engagement Agent | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to specifically address or mitigate the leakage of Personally Identifiable Information (PII). | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. The are no instructions in place to mitigate harmful, toxic or profane content. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to specifically address or prevent jailbreak attempts. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to address or prevent intentional misuse, such as asking the AI to perform tasks it is not designed for. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to specifically prevent the user from extracting the system prompt or instructions. | |
| Offtopic Agent | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. The are no instructions in place to mitigate this vulnerability. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. The are no instructions in place to mitigate this vulnerability. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. The are no instructions in place to mitigate this vulnerability. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. The are no instructions in place to mitigate this vulnerability. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. The are no instructions in place to mitigate this vulnerability. | |
| Guardrail check | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate the leakage of PII from the conversation. | |
| Harmful/Toxic/Profane Content | Partial | There are no guardrails in place to mitigate this vulnerability. The instruction 'Check if the new conversation tip is aggressive, harmful, dangerous or unrelated.' is in place to mitigate harmful or toxic content. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent the user from attempting to make the AI act outside its guidelines. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to address intentional misuse of the AI for tasks it is not intended to perform. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent the user from extracting the AI's system prompt or instructions. |
*The "Mitigation Level" column shows to what extent a vulnerability is mitigated. "Full" indicates that both a system prompt instruction and a guardrail are in place.
"Partial" indicates that one of the two is in place. "None" indicates that neither one is in place. (This applies to all vulnerabilities except for the "Input Length Limit", in which case only the guardrail is taken into account).
Agent Vulnerability Explanations
| Agent Vulnerability | Framework Mapping | Description |
|---|---|---|
| Input Length Limit |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM10 - Unbounded Consumption OWASP Agentic:
T2 - Tool Misuse T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors |
An attacker can overwhelm the LLM's context with a very long message and cause it to ignore previous instructions or produce undesired actions. Mitigation: - add a Guardrail that checks if the user message contains more than the maximum allowed number of characters (200-500 will suffice in most cases). |
| Personally Identifiable Information (PII) Leakage |
OWASP LLM Top 10:
LLM02 - Sensitive Information Disclosure LLM05 - Improper Output Handling OWASP Agentic:
T7 - Misaligned & Deceptive Behaviors T9 - Identity Spoofing & Impersonation T15 - Human Manipulation |
An attacker can manipulate the LLM into exfiltrating PII, or requesting users to disclose PII. Mitigation: - add a Guardrail that checks user and agent messages for PII and anonymizes them or flags them - include agent instructions that clearly state that it should not handle PII. |
| Harmful/Toxic/Profane Content |
OWASP LLM Top 10:
LLM05 - Improper Output Handling OWASP Agentic:
T7 - Misaligned & Deceptive Behaviors T11 - Unexpected RCE and Code Attacks |
An attacker can use the LLM to generate harmful, toxic, or profane content, or engage in conversations about such topics. Mitigation: - add a Guardrail that checks user and agent messages for toxic, harmful, and profane content - include agent instructions that prohibit the agent from engaging in conversation about, or creating, harmful, toxic, or profane content. |
| Jailbreak |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM02 - Sensitive Information Disclosure LLM05 - Improper Output Handling LLM09 - Misinformation LLM10 - Unbounded Consumption OWASP Agentic:
T1 - Memory Poisoning T2 - Tool Misuse T3 - Privilege Compromise T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors T9 - Identity Spoofing & Impersonation T11 - Unexpected RCE and Code Attacks T13 - Rogue Agents in Multi-Agent Systems T15 - Human Manipulation |
An attacker can try to craft their messages in a way that makes the LLM forget all previous instructions and be used for any task the attacker wants. Mitigation: - add a Guardrail that checks user messages for attempts at circumventing the LLM's instructions - include agent instructions that state that the agent should not alter its instructions, and ignore user messages that try to convince it otherwise. |
| Intentional Misuse |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM10 - Unbounded Consumption OWASP Agentic:
T2 - Tool Misuse T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation |
An attacker can try to use the instance of the LLM for tasks other than the LLM's intended usage to drain resources or for personal gain. Mitigation: - add a Guardrail that checks user messages for tasks that are not the agent's intended usage - include agent instructions that prohibit the agent from engaging in any tasks that are not its intended usage |
| System Prompt Leakage |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM02 - Sensitive Information Disclosure LLM07 - System Prompt Leakage OWASP Agentic:
T2 - Tool Misuse T3 - Privilege Compromise T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors |
An attacker can make the LLM reveal the system prompt/instructions so that he can leak sensitive business logic or craft other attacks that are better suited for this LLM. Mitigation: - add a Guardrail that checks agent messages for the exact text of the agent's system prompt - include agent instructions that highlight that the system prompt/instructions are confidential and should not be shared. |