v3/docs/dream-cycle/2026-07-06-security-sota-report.md
TL;DR: 2026 research proves that "safe" LLMs become 40–75% exploitable when deployed as agents with tool access — and Ruflo's current security module lacks Verifiable Memory Governance (VMG) and Representation Engineering (RepE) IPI detection, both now SOTA requirements for production agent deployments.
| Finding | Source | Confidence |
|---|---|---|
| "Safe" LLMs yield 40–75% attack success as agents (skill files highest risk) | ClawSafety, arXiv:2604.01438 | A |
| Persistent memory introduces Write/Store/Retrieve/Execute/Share/Forget attack phases — cannot retrofit at retrieval time alone | Memory Security Survey, arXiv:2604.16548 | A |
| Indirect Prompt Injections bypass all baseline defenses; RepE (Representation Engineering) at tool-input position achieves high detection across 9 LLMs | IPI study, arXiv:2604.03870 | A |
| OWASP released standalone "Top 10 for Agentic Applications 2026" covering Agent Goal Hijack, Tool Misuse, Memory Poisoning | OWASP GenAI Security Project | B |
| IMA attack on multi-agent systems (MetaGPT, CrewAI) reaches 89% jailbreak success vs single-agent baseline | Multi-agent jailbreak study 2026 | B |
| Lightweight inference-time defense filters consistently bypassed by long reasoning-heavy prompts | arXiv:2602.22242 | A |
| AutoJack: AutoGen Studio browser-agent exploited to reach privileged localhost service — zero user interaction required | AutoJack 2026 | B |
| Capability | Status | Gap |
|---|---|---|
| Input validation (Zod-based) | ✅ @claude-flow/security InputValidator | None at boundary |
| Path traversal prevention | ✅ PathValidator | None |
| Command injection protection | ✅ SafeExecutor | None |
| Plugin supply chain integrity | ✅ ADR-145 | None |
| Security CVE posture | ✅ ADR-165 | None |
| Verifiable Memory Governance (VMG) | ❌ Not implemented | Storage-time provenance, versioning, policy-aware retention missing |
| Representation Engineering (RepE) IPI detection | ❌ Not implemented | No tool-input state monitoring |
| OWASP Agentic Top 10 2026 compliance mapping | ❌ No mapping exists | 10 risks unaudited |
| Skill file sandboxing | ❌ Skill files not isolated | Highest attack risk per ClawSafety |
| Agent-to-agent (A2A) trust boundaries | ❌ No zero-trust A2A | Cross-agent propagation unmitigated |
| Framework | Memory Security | Skill/Tool Isolation | IPI Defense | A2A Trust |
|---|---|---|---|---|
| LangGraph v0.4 | PostgresSaver checkpointer, human-in-the-loop | Policy enforcement hooks, tool allowlists | None published | None published |
| AutoGen 1.0 GA | Memory scoping controls | Docker/gVisor/Firecracker sandboxes | AutoJack vuln disclosed | Not implemented |
| CrewAI 0.95 | Memory backend abstraction (pluggable) | None dedicated | IMA attack 89% success (vuln) | Not implemented |
| OpenAI Agents SDK | Session-scoped only | Explicit handoff model | None published | Handoff as trust boundary |
| Ruflo 3.6.10 | AgentDB hybrid (SQLite+HNSW) | @claude-flow/security | None | SendMessage (no signing) |
| Benchmark | Value | Grade | Source |
|---|---|---|---|
| ClawSafety attack success rate on "safe" LLMs-as-agents | 40–75% across models | A | arXiv:2604.01438 (2026, peer-reviewed) |
| RepE detection accuracy across 9 LLMs | "high detection accuracy" (exact % not published) | A | arXiv:2604.03870 (2026, peer-reviewed) |
| IMA multi-agent jailbreak success (CrewAI/MetaGPT) | 89% | B | 2026 multi-agent jailbreak study (vendor crosschecked) |
| HackerOne AI vulnerability report spike | 210% increase (Oct 2025 baseline) | B | HackerOne 2025 report |
Session commit: 865dd7dd2b2a830209e64bb3e4aed935d2471d76
Report SHA-256: ee2577535df493f22f66b9a26123d7d61c4556dd8e51cbc2dfda1e017bb1bcde
Witness stamp: 2749e549678c2726b63247a0a462bffe0ca3a2f923bb971a828a5f7913094e73
Verifier: fetch raw file → sha256sum → concat session commit → sha256sum → must equal witness stamp
Implement Verifiable Memory Governance (VMG) in AgentDB: add storage-time provenance metadata, memory write versioning, and policy-aware retention rules per the Memory Lifecycle Framework (arXiv:2604.16548). Propose as ADR-178. Estimated: 2 sprints.
Add RepE-based IPI detection hook in @claude-flow/security: instrument tool-input hidden states to detect abnormal decision entropy before tool execution. Use as pre-tool-call hook in the hooks system (pre-edit, pre-command). Aligns with OWASP Agentic 2026 "Tool Misuse" #2.
Audit skill file loading pipeline against ClawSafety findings: skill files are the highest-risk injection vector (higher than email/web). Add a skill-file signature verification step in @claude-flow/cli plugin loader and map all 10 OWASP Agentic 2026 risks against existing controls.