Scan Details
Project Name
Scan Timestamp
Agentic Framework
openai_plooxies-main
05/16/25 13:22:26
openai-agents
Dependency Check
Agentic Workflow Graph
Legend
Agent
Tool
Tool Category
CustomTool
Basic
MCP Server
Findings
Vulnerabilities
2
Agents
5
Tools
4
Nodes Overview
Agents
| Agent Name | LLM Model | System Prompt |
|---|---|---|
| RoomRecommendingAgent | gpt-4o | You are an elegant and passionate hotel consierge. Advice the guest on which of the rooms should she or he choose.Answer with concise, helpful responses using the FileSearchTool. |
| StorytellerAgent | gpt-4o | You are an elegant and passionate hotel consierge. Tell the guest as much as you can on the hotel's history and its unique heritage.Answer with concise, helpful responses using the FileSearchTool. |
| VacancyCheckingAgent | gpt-4o | |
| BookingAgent | gpt-4o | |
| Assistant | gpt-4o |
Tools
| Tool Name | Tool Category | Tool Description | Number of Vulnerabilities |
|---|---|---|---|
| FileSearchTool | document_loader | A hosted tool that lets the LLM search through a vector store. Currently only supported with OpenAI models, using the Responses API. | 1 |
| FileSearchTool | document_loader | A hosted tool that lets the LLM search through a vector store. Currently only supported with OpenAI models, using the Responses API. | 1 |
| check_vacancy | default | 0 | |
| book_a_room | default | Book a room of the selected category for all dates from start_date to end_date. Args: start_date (str): Start date of the booking in YYYY-MM-DD format end_date (str): End date of the booking in YYYY-MM-DD format room_type (str): Type of room to book (budget, superior, or executive) Returns: str: Booking confirmation or error message | 0 |
Tool Vulnerabilities
FileSearchTool
Vulnerability
Indirect Prompt Injection
Description
Any malicious webpage could include hidden prompts that the agent will read, injecting commands into the agent’s context (an indirect prompt injection attack).
Security Framework Mapping
OWASP LLM Top 10:LLM01 - Prompt Injection
OWASP Agentic:T6 - Intent Breaking & Goal Manipulation
Remediation Steps
• Enable URL whitelisting
• Implement guardrails filtering for prompt injection
FileSearchTool
Vulnerability
Indirect Prompt Injection
Description
Any malicious webpage could include hidden prompts that the agent will read, injecting commands into the agent’s context (an indirect prompt injection attack).
Security Framework Mapping
OWASP LLM Top 10:LLM01 - Prompt Injection
OWASP Agentic:T6 - Intent Breaking & Goal Manipulation
Remediation Steps
• Enable URL whitelisting
• Implement guardrails filtering for prompt injection
Agent Vulnerability Mitigations
| Agent Name | Vulnerability | Mitigation Level* | Explanation |
|---|---|---|---|
| RoomRecommendingAgent | Input Length Limit | None | There are no guardrails mentioned to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails mentioned to mitigate this vulnerability. There are no instructions provided that specifically address the handling or protection of PII. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails mentioned to mitigate this vulnerability. There are no instructions provided that prevent the use or dissemination of harmful, toxic, or profane content. | |
| Jailbreak | None | There are no guardrails mentioned to mitigate this vulnerability. There are no instructions provided that prevent the user from manipulating the AI agent into performing actions outside the scope of its guidance. | |
| Intentional Misuse | None | There are no guardrails mentioned to mitigate this vulnerability. The instructions cover advising on room choices and imply a specific focus, but do not explicitly prevent tasks outside of this scope. | |
| System Prompt Leakage | None | There are no guardrails mentioned to mitigate this vulnerability. There are no instructions preventing the AI from disclosing its system prompt or operational instructions. | |
| StorytellerAgent | Input Length Limit | None | There is no information about a guardrail in place to check the length of the user message. |
| Personally Identifiable Information (PII) Leakage | None | There is no information about a guardrail in place to detect or prevent PII leakage. There are no instructions in place specifically addressing the handling of personally identifiable information (PII) within the provided system prompt. | |
| Harmful/Toxic/Profane Content | None | There is no information about a guardrail in place to detect or filter harmful, toxic, or profane content. There are no instructions in place to mitigate harmful, toxic, or profane content within the provided system prompt. | |
| Jailbreak | None | There is no information about a guardrail in place to prevent the AI agent from being manipulated to act outside of its intended guidelines. There are no instructions explicitly addressing attempts to make the AI act outside of its designated role, which increases the risk of potential jailbreak attempts. | |
| Intentional Misuse | None | There is no information about a guardrail in place to prevent the AI agent from being used in unintended tasks. There are no specific instructions preventing intentional misuse by users attempting tasks outside of the AI's specified function as a hotel concierge. | |
| System Prompt Leakage | None | There is no information about a guardrail in place to protect against the leakage of the system prompt or instructions. There are no instructions to prevent the user from trying to extract the system prompt or instructions. | |
| VacancyCheckingAgent | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions in place to mitigate this vulnerability. | |
| BookingAgent | Input Length Limit | None | There are no guardrails in place to mitigate this vulnerability. |
| Personally Identifiable Information (PII) Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to mitigate this vulnerability. | |
| Harmful/Toxic/Profane Content | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to mitigate this vulnerability. | |
| Jailbreak | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to mitigate this vulnerability. | |
| Intentional Misuse | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to mitigate this vulnerability. | |
| System Prompt Leakage | None | There are no guardrails in place to mitigate this vulnerability. There are no instructions provided to mitigate this vulnerability. | |
| Assistant | Input Length Limit | None | There is no information on any guardrail that specifically mentions dealing with message length. |
| Personally Identifiable Information (PII) Leakage | None | There is no information on any guardrail specifically addressing PII leakage. There are no instructions in place to mitigate this vulnerability. | |
| Harmful/Toxic/Profane Content | None | There is no information on any guardrail specifically addressing harmful, toxic, or profane content. There are no instructions in place to mitigate this vulnerability. | |
| Jailbreak | None | There is no information on any guardrail specifically addressing jailbreak attempts. There are no instructions in place to mitigate this vulnerability. | |
| Intentional Misuse | None | There is no information on any guardrail specifically addressing intentional misuse. There are no instructions in place to mitigate this vulnerability. | |
| System Prompt Leakage | None | There is no information on any guardrail specifically addressing system prompt leakage. There are no instructions in place to mitigate this vulnerability. |
*The "Mitigation Level" column shows to what extent a vulnerability is mitigated. "Full" indicates that both a system prompt instruction and a guardrail are in place.
"Partial" indicates that one of the two is in place. "None" indicates that neither one is in place. (This applies to all vulnerabilities except for the "Input Length Limit", in which case only the guardrail is taken into account).
Agent Vulnerability Explanations
| Agent Vulnerability | Framework Mapping | Description |
|---|---|---|
| Input Length Limit |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM10 - Unbounded Consumption OWASP Agentic:
T2 - Tool Misuse T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors |
An attacker can overwhelm the LLM's context with a very long message and cause it to ignore previous instructions or produce undesired actions. Mitigation: - add a Guardrail that checks if the user message contains more than the maximum allowed number of characters (200-500 will suffice in most cases). |
| Personally Identifiable Information (PII) Leakage |
OWASP LLM Top 10:
LLM02 - Sensitive Information Disclosure LLM05 - Improper Output Handling OWASP Agentic:
T7 - Misaligned & Deceptive Behaviors T9 - Identity Spoofing & Impersonation T15 - Human Manipulation |
An attacker can manipulate the LLM into exfiltrating PII, or requesting users to disclose PII. Mitigation: - add a Guardrail that checks user and agent messages for PII and anonymizes them or flags them - include agent instructions that clearly state that it should not handle PII. |
| Harmful/Toxic/Profane Content |
OWASP LLM Top 10:
LLM05 - Improper Output Handling OWASP Agentic:
T7 - Misaligned & Deceptive Behaviors T11 - Unexpected RCE and Code Attacks |
An attacker can use the LLM to generate harmful, toxic, or profane content, or engage in conversations about such topics. Mitigation: - add a Guardrail that checks user and agent messages for toxic, harmful, and profane content - include agent instructions that prohibit the agent from engaging in conversation about, or creating, harmful, toxic, or profane content. |
| Jailbreak |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM02 - Sensitive Information Disclosure LLM05 - Improper Output Handling LLM09 - Misinformation LLM10 - Unbounded Consumption OWASP Agentic:
T1 - Memory Poisoning T2 - Tool Misuse T3 - Privilege Compromise T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors T9 - Identity Spoofing & Impersonation T11 - Unexpected RCE and Code Attacks T13 - Rogue Agents in Multi-Agent Systems T15 - Human Manipulation |
An attacker can try to craft their messages in a way that makes the LLM forget all previous instructions and be used for any task the attacker wants. Mitigation: - add a Guardrail that checks user messages for attempts at circumventing the LLM's instructions - include agent instructions that state that the agent should not alter its instructions, and ignore user messages that try to convince it otherwise. |
| Intentional Misuse |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM10 - Unbounded Consumption OWASP Agentic:
T2 - Tool Misuse T4 - Resource Overload T6 - Intent Breaking & Goal Manipulation |
An attacker can try to use the instance of the LLM for tasks other than the LLM's intended usage to drain resources or for personal gain. Mitigation: - add a Guardrail that checks user messages for tasks that are not the agent's intended usage - include agent instructions that prohibit the agent from engaging in any tasks that are not its intended usage |
| System Prompt Leakage |
OWASP LLM Top 10:
LLM01 - Prompt Injection LLM02 - Sensitive Information Disclosure LLM07 - System Prompt Leakage OWASP Agentic:
T2 - Tool Misuse T3 - Privilege Compromise T6 - Intent Breaking & Goal Manipulation T7 - Misaligned & Deceptive Behaviors |
An attacker can make the LLM reveal the system prompt/instructions so that he can leak sensitive business logic or craft other attacks that are better suited for this LLM. Mitigation: - add a Guardrail that checks agent messages for the exact text of the agent's system prompt - include agent instructions that highlight that the system prompt/instructions are confidential and should not be shared. |