AI Audit Findings Library
Reusable finding patterns for real AI security work. Each entry focuses on the root cause, exploit path, evidence an auditor should collect, and what to check next.
Approval Scope Mismatch on High-Impact Actions
CriticalThe operator approves a coarse action label, but the agent retains control over the risky parameters that determine the true impact.
Affected systems: Coding agents, Long-lived agents, Agentic DeFi systems
Persistent Memory Poisoning with Temporal Re-Entry
CriticalA low-trust write enters durable memory or summary state and is later retrieved in a higher-trust context that unlocks privileged action.
Affected systems: Long-lived agents, Multi-agent orchestration systems, Agentic DeFi systems
Prompt-to-Shell Execution via Unsafe Command Construction
CriticalUntrusted prompt-derived content reaches shell execution through string interpolation, template expansion, or unsafe command wrappers.
Affected systems: Coding agents, MCP-connected agents, Long-lived agents
Tool or Manifest Capability Overclaim
HighA tool, plugin, skill, or MCP manifest overstates its safety or understates the authority it actually grants to the agent runtime.
Affected systems: MCP deployments, Coding agents, Long-lived agents
Unverified Financial Destination Selection
CriticalThe agent selects recipients, routers, bridges, protocols, or calldata destinations from mixed-trust context without independent validation.
Affected systems: Agentic DeFi systems, Treasury agents, Trading agents