Toxic flow analysis for AI

Agent capabilities are outpacing security practices. With the rise of permission-hungry agents like OpenClaw, teams are increasingly deploying agents in environments that expose them to the lethal trifecta: access to private data, exposure to untrusted content and the ability to communicate externally. As capabilities grow, so too does the attack surface, exposing systems to risks such as prompt injection and tool poisoning. We continue to see toxic flow analysis as a primary technique for examining agentic systems to identify unsafe data paths and potential attack vectors. These risks are no longer limited to MCP integrations; our teams have observed similar patterns in Agent Skills, where a malicious actor can package a seemingly useful skill that embeds hidden instructions to exfiltrate sensitive data. We strongly encourage teams working with agents to perform toxic flow analysis and use tools such as Agent Scan to identify unsafe data paths before they're exploited.

现在广为流传的玩笑——MCP 中的 S 代表“安全”——代表了一个非常真实的问题。当智能体通过工具调用或 API 调用彼此通信时，它们可能很快遭遇被称为致命三威胁的情况：访问私有数据、接触不可信内容，以及能够进行外部通信。具备这三项的智能体极易受到攻击。由于 LLM 倾向于遵循输入中的指令，包含向不可信源导出数据指令的内容很容易导致数据泄露。一种新兴的缓解风险技术是 有害流程分析，它通过检查智能体系统的流程图来识别潜在不安全的数据路径，以便进一步调查。虽然仍处于早期阶段，但有害流程分析代表了若干有前景的方法之一，用于检测智能体系统和 MCP 服务器日益暴露的新攻击向量。