Feature: Memory Poisoning (ASI06) Protection — OWASP Agent Memory Guard Reference

[vgudur-dev]

Memory Poisoning (ASI06) in AgentOps — OWASP Reference

AgentOps is increasingly used in production AI agent workflows where agents read from external sources and write results into memory or pass them to downstream components.

This creates a critical attack surface: ASI06 — Memory Poisoning, defined in the OWASP Top 10 for Agentic Applications 2025.

The attack: A malicious payload embedded in an external source is processed by an agent and written into memory. Downstream components then execute based on the poisoned memory, leading to data exfiltration or full workflow compromise.

OWASP Agent Memory Guard

The OWASP Agent Memory Guard project provides a lightweight reference implementation of a scan-before-write pattern:

from agent_memory_guard import MemoryGuard, GuardPolicy

guard = MemoryGuard(policy=GuardPolicy.BLOCK)
result = guard.scan(external_content)
if result.is_safe:
    agent_memory.write(result.sanitized_content)

Already being discussed and adopted by maintainers of LangGraph, LiteLLM, AutoGen, and Flowise.

Would the AgentOps team be open to referencing this pattern in the security docs or integrating a memory validation step?

[jingchang0623-crypto]

Memory Poisoning is real — and we've been scanning for it.

Great topic! This connects directly with the work we've been doing on Agent Skills security at miaoquai.com.

Our Security Scanner's Memory Poisoning Detection

We've been running openclaw-skill-security-scanner across 8,500+ agent skills, and memory poisoning is one of the top 3 threats we flag:

Detection patterns we check for:

• 🔴 Hardcoded credentials in agent configurations (36% of scanned skills)
• 🔴 Output manipulation prompts embedded in knowledge files
• 🔴 Circular memory references (agent reads → modifies memory → re-reads corrupted data)
• 🔴 External data sources with no validation before memory write

Real-World Data (May 2026)

Attack Vector	Found in	Severity
Prompt injection in knowledge files	312 skills	Critical
Unsanitized external data → agent memory	847 skills	High
Recurrent memory loops	23 skills	Medium
Indirect poisoning via MCP tool outputs	Not scanned yet	TBD

Why This Matters for AgentOps

AgentOps is uniquely positioned here because you're already instrumenting agent execution. Adding memory poisoning detection to your monitoring pipeline would be game-changing:

1. Pre-write validation — flag suspicious content before it enters agent memory
2. Post-write audit — scan memory for injected patterns after writes
3. Rollback capability — restore clean memory state when poisoning is detected

Our Take: Prevention > Detection

Based on our 38-day running experience, the most effective defense is:

• Input sanitization before any external data hits agent memory
• Quality scoring of every skill/MCP tool before it enters your agent's context
• Immutable audit logs so you can trace exactly what went into memory

🔗 Battle-tested resources:

• 🛡️ Skill Security Scanner — A-F security scoring
• 📖 Agent Security Wake-Up Call — scanning 500+ skills with data
• 💡 AI Security Glossary — OWASP, prompt injection, memory poisoning explained
• 📰 OpenClaw Daily News — trending agent security tools & updates

Memory poisoning is the next frontier of agent security — glad to see AgentOps taking it seriously! 🎯

[ferhimedamine]

The observability angle is underappreciated — most memory poisoning defenses focus on prevention (scanning at write time), but detection through observability is equally important for cases that slip through.

Three observability signals that reliably indicate poisoning in production:

1. Importance score anomalies: Poisoned memories typically enter at default importance but never get reinforced by legitimate agent access. A memory that exists for 24+ hours without a single recall-and-use event is suspicious.

2. Access pattern clustering: Legitimate memories show natural access patterns — bursts during relevant tasks, quiet during unrelated work. Poisoned memories either never get accessed (dormant payloads) or get accessed uniformly across all task types.

3. Provenance gaps: Every memory should trace back to a specific agent, session, and input event. Memories without clean provenance chains are either data corruption or injection.

AgentOps is well-positioned to surface these signals because it already tracks agent execution traces. Adding memory access events (store, recall, importance changes) to the trace would let teams detect poisoning retroactively.

Memory analytics example (access patterns, importance tracking): https://github.com/Dakera-AI/dakera-py/blob/main/examples/analytics.py