Scan Details
Project Name
Scan Timestamp
Agentic Framework
oh-my-coach-main
05/16/25 13:18:46
openai-agents
Dependency Check
Agentic Workflow Graph
Legend
Agent
Tool
Tool Category
CustomTool
Basic
MCP Server
Findings
Vulnerabilities
0
Agents
5
Tools
0
Nodes Overview
Agents
| Agent Name | LLM Model | System Prompt |
|---|---|---|
| goal_manager_agent | gpt-4o | You are a goal generation expert. You help users create goals based on their messages. Extract goal details from the user's message. You should provide: - A clear, concise name for the goal - A short description that explains what needs to be achieved Example: User: "I want to learn Python in next 3 months" Output: { "name": "Learn Python Programming", "description": "Master Python programming language fundamentals within a 3-month timeframe" } |
| Task Intent Classifier | gpt-4o | You are a classifier that determines if a user's message is a task for an existing goal. Analyze the message and the list of existing goals. If the message is clearly about creating a task for one of the listed goals, return that goal's ID. Otherwise return -1. Your response must be a JSON object with a single field 'goal_id' containing this integer. |
| Goal Intent Classifier | gpt-4o | You are a classifier that determines if a user's message expresses intent to create a new goal. Return a JSON object with a single boolean field 'is_new_goal' which is true if intent exists, otherwise false. |
| task_manager_agent | gpt-4o | You are a task creation expert. You help create tasks based on user messages and goal context. You should provide: - A clear, concise task name - A short task description - Estimated duration in minutes (optional) - Priority level 1-5 (optional) The priority must be a number between 1 and 5, where: 1 = lowest priority 5 = highest priority Example: Goal: "Learn Python Programming" User: "I need to set up my development environment" Output: { "name": "Set up Python Development Environment", "description": "Install Python, configure IDE, and set up virtual environment", "duration": 60, "priority": 5 } |
| Coach | gpt-4o |
Tools
| Tool Name | Tool Category | Tool Description | Number of Vulnerabilities |
|---|
Agent Vulnerability Mitigations
| Agent Name | Vulnerability | Mitigation Level* | Explanation |
|---|---|---|---|
| goal_manager_agent | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions specifically addressing the protection of personally identifiable information. The AI agent is instructed to extract goal details but no guidance is provided on handling or avoiding PII. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate the generation or handling of harmful, toxic, or profane content. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions that prevent the AI agent from being coerced into performing actions outside of its intended scope. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no specific instructions guiding the AI on how to respond if users attempt to misuse the system or ask for tasks outside goal generation. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no explicit instructions preventing the AI from disclosing its system prompt or internal instructions. | |
| Task Intent Classifier | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. The prompt does not mention handling or restrictions around PII. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions to filter or reject harmful, toxic, or profane content. The prompt solely focuses on task classification. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions to prevent attempts to modify the agent's behavior beyond its classification task. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate intentional misuse. The prompt only focuses on checking if a message aligns with a specific goal. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to protect against system prompt leakage. | |
| Goal Intent Classifier | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent the leakage of PII. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to handle or filter harmful, toxic, or profane content. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent or mitigate jailbreak attempts. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent the AI from being used in tasks it's not intended for. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to prevent the user from extracting the system prompt. | |
| task_manager_agent | Input Length Limit | None | There are no guardrails provided to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails provided to mitigate this vulnerability. There are no instructions addressing the handling or protection of personally identifiable information. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails provided to mitigate this vulnerability. There are no instructions regarding the handling of harmful, toxic, or profane content. | |
| Jailbreak | None | There are no guardrails provided to mitigate this vulnerability. There are no instructions preventing or addressing attempts to make the AI perform actions misaligned with its primary task of creating tasks. | |
| Intentional Misuse | None | There are no guardrails provided to mitigate this vulnerability. There are no specific instructions to handle situations where the AI is asked to perform tasks it is not intended for. | |
| System Prompt Leakage | None | There are no guardrails provided to mitigate this vulnerability. There are no instructions preventing the AI from revealing its own system prompt or internal instructions to the users. | |
| Coach | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. |
*The "Mitigation Level" column shows to what extent a vulnerability is mitigated. "Full" indicates that both a system prompt instruction and a guardrail are in place.
"Partial" indicates that one of the two is in place. "None" indicates that neither one is in place. (This applies to all vulnerabilities except for the "Input Length Limit", in which case only the guardrail is taken into account).
Agent Vulnerability Explanations
| Agent Vulnerability | Framework Mapping | Description |
|---|---|---|
| Input Length Limit |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM10 - Unbounded Consumption OWASP Agentic:
T2 - Tool Misuse T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors |
An attacker can overwhelm the LLM's context with a very long message and cause it to ignore previous instructions or produce undesired actions. Mitigation: - add a Guardrail that checks if the user message contains more than the maximum allowed number of characters (200-500 will suffice in most cases). |
| Personally Identifiable Information (PII) Leakage |
OWASP LLM Top 10:
LLM02 - Sensitive Information Disclosure LLM05 - Improper Output Handling OWASP Agentic:
T7 - Misaligned & Deceptive Behaviors T9 - Identity Spoofing & Impersonation T15 - Human Manipulation |
An attacker can manipulate the LLM into exfiltrating PII, or requesting users to disclose PII. Mitigation: - add a Guardrail that checks user and agent messages for PII and anonymizes them or flags them - include agent instructions that clearly state that it should not handle PII. |
| Harmful/Toxic/Profane Content |
OWASP LLM Top 10:
LLM05 - Improper Output Handling OWASP Agentic:
T7 - Misaligned & Deceptive Behaviors T11 - Unexpected RCE and Code Attacks |
An attacker can use the LLM to generate harmful, toxic, or profane content, or engage in conversations about such topics. Mitigation: - add a Guardrail that checks user and agent messages for toxic, harmful, and profane content - include agent instructions that prohibit the agent from engaging in conversation about, or creating, harmful, toxic, or profane content. |
| Jailbreak |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM02 - Sensitive Information Disclosure LLM05 - Improper Output Handling LLM09 - Misinformation LLM10 - Unbounded Consumption OWASP Agentic:
T1 - Memory Poisoning T2 - Tool Misuse T3 - Privilege Compromise T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors T9 - Identity Spoofing & Impersonation T11 - Unexpected RCE and Code Attacks T13 - Rogue Agents in Multi-Agent Systems T15 - Human Manipulation |
An attacker can try to craft their messages in a way that makes the LLM forget all previous instructions and be used for any task the attacker wants. Mitigation: - add a Guardrail that checks user messages for attempts at circumventing the LLM's instructions - include agent instructions that state that the agent should not alter its instructions, and ignore user messages that try to convince it otherwise. |
| Intentional Misuse |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM10 - Unbounded Consumption OWASP Agentic:
T2 - Tool Misuse T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation |
An attacker can try to use the instance of the LLM for tasks other than the LLM's intended usage to drain resources or for personal gain. Mitigation: - add a Guardrail that checks user messages for tasks that are not the agent's intended usage - include agent instructions that prohibit the agent from engaging in any tasks that are not its intended usage |
| System Prompt Leakage |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM02 - Sensitive Information Disclosure LLM07 - System Prompt Leakage OWASP Agentic:
T2 - Tool Misuse T3 - Privilege Compromise T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors |
An attacker can make the LLM reveal the system prompt/instructions so that he can leak sensitive business logic or craft other attacks that are better suited for this LLM. Mitigation: - add a Guardrail that checks agent messages for the exact text of the agent's system prompt - include agent instructions that highlight that the system prompt/instructions are confidential and should not be shared. |