Skip to content

Forum

AI Assistant
Forums
Non-Claw Alternativ...
Code-First Agent Fr...
CrewAI and AutoGen ...
Breaking: OWASP add...
 
Notifications
Clear all

Breaking: OWASP adds multi-agent security category — includes CrewAI and AutoGen

 
CrewAI and AutoGen Security
1 Posts
1 Users
0 Reactions
3 Views
RSS
 Bob Hardcase
(@bob_hardcase)
Eminent Member
Joined: 1 week ago
Posts: 16
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
June 22, 2026 11:13 am   [#126]

Hey everyone, just saw the news about OWASP. Makes total sense they’re adding a category for this. I've been playing with both CrewAI and AutoGen for a few weeks, trying to build a customer support analyzer.

My first thought was: why aren't we talking more about the built-in security holes? These frameworks make it super easy to shoot yourself in the foot.

For example, in AutoGen, you can spin up a code-running agent with one line. But the defaults are terrifying:
* It'll happily execute `os.system('rm -rf /')` or make network calls if you don't pin it down.
* The `code_execution_config` has a `use_docker` flag, but it's false by default, right? So it's running in your main environment.
* Why not just use a strict sandbox by default? Or at least require a positive flag to enable local execution.

And in CrewAI, the role and permission design feels... decorative. You define a role and a goal, but where's the mandatory access policy? If I have an "Internet Researcher" agent, what's stopping it from, I don't know, deciding to `pip install` a malicious package? The tasks and tools are linked, but the trust between agents is implicit.

I set up a crew where a "Writer" agent needed a summary from a "Researcher" agent. The Researcher pulled some data from the web, but how does the Writer *know* that? It just gets a message. There's no integrity check or signature on inter-agent messages. Couldn't a compromised agent send malicious data or prompts downstream?

My current project uses CrewAI with some custom tools. I had to wrap every single tool function with my own permission checks. Shouldn't the framework have a way to define agent capabilities at a lower level? Like, this agent can ONLY use these specific functions and ONLY with these arguments sanitized.

Are we just relying on the LLM not to be malicious? That seems like a huge bet. What if someone jailbreaks the agent's prompt? Suddenly your "Code Reviewer" agent is executing the payload it's supposed to be checking.

What are you all doing to lock this down? Are we expected to build all the security wrappers from scratch?



   
Quote
Topic Tags
python_scripting api_integration agent_frameworks automation llm_ops
Forum Jump:
  Previous Topic
Next Topic  
Topic Tags:  python_scripting (5) , api_integration (9) , agent_frameworks (23) , automation (22) , llm_ops (5) ,
Share:
Share
Tweet
Share