Palo Alto Networks的Unit 42发布报告，揭示了AI Agent在从实验系统向生产应用过渡过程中面临的安全挑战。报告指出，尽管AI Agent架构创新，但由于设计、部署和工具连接方式的问题，它们容易受到各种攻击。研究人员通过构建两个功能相同的AI Agent（分别使用CrewAI和AutoGen）发现，漏洞并非框架特有，而是源于配置错误、不安全的提示设计和工具集成不足。报告强调，需要采用分层防御策略，包括提示强化、运行时监控、输入验证和容器级隔离，以应对数据泄露、工具利用和远程代码执行等威胁。

⚠️ **核心威胁：** 报告概述了十个核心威胁，包括提示注入、不安全的工具集成、凭证泄露和不受限制的代码执行等，这些威胁可能导致数据泄露、工具利用和远程代码执行。

🛡️ **防御策略：** 报告强调，缓解这些威胁需要整体控制，包括提示强化（限制指令泄露、工具访问和任务边界）、内容过滤（检测异常模式）和工具集成测试（使用SAST、DAST和SCA分析）。

👨‍💻 **模拟攻击：** Unit 42部署了一个多代理投资助手，并模拟了九个攻击场景，包括提取代理指令和工具模式、通过元数据服务窃取凭证、SQL注入和BOLA漏洞，以及间接提示注入。

🔑 **根本原因：** 大部分漏洞并非源于框架本身（如CrewAI或AutoGen），而是源于应用层设计，例如不安全的角色委派、不正确的工具访问策略和模糊的提示范围。

As AI agents transition from experimental systems to production-scale applications, their growing autonomy introduces novel security challenges. In a comprehensive new report, “AI Agents Are Here. So Are the Threats,” Palo Alto Networks’ Unit 42 reveals how today’s agentic architectures—despite their innovation—are vulnerable to a wide range of attacks, most of which stem not from the frameworks themselves, but from the way agents are designed, deployed, and connected to external tools.

To evaluate the breadth of these risks, Unit 42 researchers constructed two functionally identical AI agents—one built using CrewAI and the other with AutoGen. Despite architectural differences, both systems exhibited the same vulnerabilities, confirming that the underlying issues are not framework-specific. Instead, the threats arise from misconfigurations, insecure prompt design, and insufficiently hardened tool integrations—issues that transcend implementation choices.

Understanding the Threat Landscape

The report outlines ten core threats that expose AI agents to data leakage, tool exploitation, remote code execution, and more:

Prompt Injection and Overly Broad Prompts
Prompt injection remains a potent vector, enabling attackers to manipulate agent behavior, override instructions, and misuse integrated tools. Even without classic injection syntax, loosely defined prompts are prone to exploitation.Framework-Agnostic Risk Surfaces
The majority of vulnerabilities originate not in the frameworks (e.g., CrewAI or AutoGen), but in application-layer design: insecure role delegation, improper tool access policies, and ambiguous prompt scoping.Unsafe Tool Integrations
Many agentic applications integrate tools (e.g., code execution modules, SQL clients, web scrapers) with minimal access control. These integrations, when not properly sanitized, dramatically expand the agent’s attack surface.Credential Exposure
Agents can inadvertently expose service credentials, tokens, or API keys—allowing attackers to escalate privileges or impersonate agents across environments.Unrestricted Code Execution
Code interpreters within agents, if not sandboxed, permit execution of arbitrary payloads. Attackers can use these to access file systems, networks, or metadata services—frequently bypassing traditional security layers.Lack of Layered Defense
Single-point mitigations are insufficient. A robust security posture demands defense-in-depth strategies that combine prompt hardening, runtime monitoring, input validation, and container-level isolation.Prompt Hardening
Agents must be configured with strict role definitions, rejecting requests that fall outside predefined scopes. This reduces the likelihood of successful goal manipulation or instruction disclosure.Runtime Content Filtering
Real-time input and output inspection—such as filtering prompts for known attack patterns—is critical for detecting and mitigating dynamic threats as they emerge.Tool Input Sanitization
Structured input validation—checking formats, enforcing types, and limiting values—is essential to prevent SQL injections, malformed payloads, or cross-agent misuse.Code Executor Sandboxing
Execution environments must restrict network access, drop unnecessary system capabilities, and isolate temporary storage to reduce the impact of potential breaches.

Simulated Attacks and Practical Implications

To illustrate these risks, Unit 42 deployed a multi-agent investment assistant and simulated nine attack scenarios. These included:

Extracting Agent Instructions and Tool Schemas
By leveraging prompt engineering, attackers could enumerate all internal agents, retrieve their task definitions, and understand tool APIs—facilitating downstream attacks.Credential Theft via Metadata Services
Using malicious Python scripts injected into code interpreters, attackers accessed GCP metadata endpoints and exfiltrated service account tokens.SQL Injection and BOLA Exploits
Agents relying on unvalidated input for database queries were susceptible to both SQL injection and broken object-level authorization (BOLA), allowing attackers to read arbitrary user data.Indirect Prompt Injection
Malicious websites embedded instructions that caused agents to send user conversation histories to attacker-controlled domains, highlighting risks tied to autonomous browsing or reading tools.

Each of these scenarios exploited common design oversights, not novel zero-days. This underscores the urgent need for standardized threat modeling and secure agent development practices.

Defense Strategies: Moving Beyond Patchwork Fixes

The report emphasizes that mitigating these threats requires holistic controls:

Prompt hardening should limit instruction leakage, restrict tool access, and enforce task boundaries.Content filtering must be applied both pre- and post-inference, detecting anomalous patterns in agent interactions.Tool integrations should be rigorously tested using static (SAST), dynamic (DAST), and dependency (SCA) analysis.Code execution environments must employ strict sandboxing, including network egress filtering, syscall restrictions, and memory capping.

Palo Alto Networks recommends its AI Runtime Security and AI Access Security platforms as part of a layered defense approach. These solutions provide visibility into agent behaviors, monitor for misuse of third-party generative AI tools, and enforce enterprise-level policies on agent interactions.

Conclusion

The rise of AI agents marks a significant evolution in autonomous systems. But as Unit 42’s findings reveal, their security must not be an afterthought. Agentic applications extend the vulnerability surface of LLMs by integrating external tools, enabling self-modification, and introducing complex communication patterns—any of which can be exploited without sufficient safeguards.

Securing these systems demands more than robust frameworks—it requires deliberate design choices, continuous monitoring, and layered defenses. As enterprises begin to adopt AI agents at scale, now is the time to establish security-first development practices that evolve alongside the intelligence they’re building.

---

Check out the Full Guide. Also, don’t forget to follow us on Twitter and join our Telegram Channel and LinkedIn Group. Don’t Forget to join our 90k+ ML SubReddit.

[Register Now] miniCON Virtual Conference on AGENTIC AI: FREE REGISTRATION + Certificate of Attendance + 4 Hour Short Event (May 21, 9 am- 1 pm PST) + Hands on Workshop

The post AI Agents Are Here—So Are the Threats: Unit 42 Unveils the Top 10 AI Agent Security Risks appeared first on MarkTechPost.