Skip to main content

Agentic AI security scanner — OWASP ASI Top 10

Project description

Condor

Agentic AI security scanner — OWASP ASI Top 10

CI PyPI Python 3.11+ License: MIT

Condor scans agentic AI platforms for security vulnerabilities mapped to the OWASP Top 10 for Agentic Applications. It understands the semantics of each platform — enumerating chatflows, tools, vectorstores, and agent surfaces — then runs 10 specialized modules in parallel.

Against a Flowise 1.8.2 instance, Condor finds 9 findings in 3.6 seconds — 3 CRITICAL, 5 HIGH, 1 MEDIUM — all confirmed true positives mapping to published GHSAs.

Part of the CobaltoSec toolkit alongside Corvus (MCP security) and Llamascope (AI infra discovery).

Install

pip install cobaltosec-condor

Quick start

# Scan a Flowise instance
condor scan --url http://localhost:3000 --platform flowise

# JSON output for piping
condor scan --url http://localhost:3000 --platform flowise --format json --stdout | jq '.findings[].severity'

# SARIF output for GitHub Code Scanning
condor scan --url http://localhost:3000 --platform flowise --format sarif

# Authenticated scan
condor scan --url https://letta.internal --platform letta --api-key $LETTA_KEY

# Batch scan from a targets file
condor scan --targets targets.txt --platform generic --concurrency 10 --format json

# Run specific modules only
condor scan --url http://localhost:3000 --platform flowise -m privilege-abuse -m code-execution

Modules — 10 / 10 OWASP ASI

Module ASI What it tests
goal-hijack ASI01 Prompt injection, jailbreaks, indirect injection via tool output
tool-misuse ASI02 Path traversal, SSRF, SSTI, credential exposure
privilege-abuse ASI03 Unauthenticated endpoints, IDOR, header bypass (CVE-2026-30820)
supply-chain ASI04 CVE detection via OSV.dev, poisoned tool descriptions
code-execution ASI05 eval/exec sinks, unauthenticated RCE endpoints
memory-poisoning ASI06 Vectorstore access without auth, adversarial injection
inter-agent ASI07 Inter-agent channels, origin forgery
cascading-failures ASI08 Rate limit bypass, task queue exposure
trust-exploitation ASI09 System prompt exposure, AI identity disclosure
rogue-agents ASI10 Unauthenticated agent/tool creation, webhook registration

Supported platforms — 16

Platform --platform Notes
Flowise flowise chatflows, tools, vectorstores, apikey endpoint
Langflow langflow flows, custom component execution
Dify dify apps, datasets, system prompt modification
AutoGen Studio autogen tools/execute RCE surface
n8n n8n workflows, credential endpoints
LlamaIndex llamaindex FastAPI agent server
CrewAI crewai FastAPI serve
LangGraph langgraph threads, store, runs
Ollama ollama model server, write endpoints
OpenAI-compatible openai-compat vLLM, LocalAI, LM Studio
Open WebUI openwebui Python function/tool creation (persistent RCE surface)
Hayhooks hayhooks pipeline endpoints, OpenAPI spec
Letta letta per-agent memory IDOR, /v1/tools/run RCE (GHSA-p67m-xf4h-2r78)
Qdrant qdrant collections, snapshot SSRF
Chroma chroma collections v1/v2, unauthenticated writes
Generic HTTP generic OpenAPI/Swagger auto-parsing, GraphQL introspection

Output formats

--format table    # Rich terminal table (default)
--format json     # Structured JSON
--format sarif    # SARIF 2.1.0 — GitHub Code Scanning / SAST tooling
--format html     # Self-contained HTML with dark mode and collapsible findings
--format junit    # JUnit XML — Jenkins, GitLab, CircleCI
--format both     # JSON + SARIF written simultaneously
--stdout          # Emit JSON to stdout for piping (suppresses progress bar)

Advanced usage

# Suppress known-good findings with a baseline
condor scan --url http://localhost:3000 --platform flowise --save-baseline baseline.json
condor scan --url http://localhost:3000 --platform flowise --baseline baseline.json

# Route through Burp Suite
condor scan --url http://localhost:3000 --platform flowise \
  --proxy http://127.0.0.1:8080 --insecure

# Only report HIGH and above
condor scan --url http://localhost:3000 --platform flowise --min-severity high

# Load defaults from a config file
condor scan --config condor.yaml

# Scaffold a new module
condor scaffold --name my-check --asi 03

GitHub Actions

- uses: CobaltoSec/condor/.github/actions/condor-scan@v1
  with:
    url: ${{ env.STAGING_URL }}
    platform: flowise
    format: sarif
    fail-on: critical

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: condor-results/report.sarif

Integrations

# Slack / Teams notifications
condor scan --url http://localhost:3000 --platform flowise \
  --notify-slack $SLACK_WEBHOOK_URL

# DefectDojo export
condor scan --url http://localhost:3000 --platform flowise \
  --defectdojo-url https://defectdojo.internal \
  --defectdojo-token $DD_TOKEN \
  --defectdojo-product "AI Platform Audit"

Plugin system

Third-party modules and platform adapters are auto-discovered via importlib.metadata entry points:

# pyproject.toml of your plugin package
[project.entry-points."condor.modules"]
my-check = "my_package.modules:MyCheckModule"

[project.entry-points."condor.platforms"]
my-platform = "my_package.platforms:MyPlatform"

Compliance

Every finding includes references to ISO/IEC 42001, NIST AI RMF, and EU AI Act. CWE IDs are included in SARIF output for integration with SAST tooling.

Responsible Disclosure

Findings discovered by Condor are reported under the CobaltoSec Responsible Disclosure Policy. Vendors are notified privately via GitHub Security Advisory before any public disclosure.

License

MIT © CobaltoSec

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cobaltosec_condor-1.0.0.tar.gz (105.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cobaltosec_condor-1.0.0-py3-none-any.whl (83.5 kB view details)

Uploaded Python 3

File details

Details for the file cobaltosec_condor-1.0.0.tar.gz.

File metadata

  • Download URL: cobaltosec_condor-1.0.0.tar.gz
  • Upload date:
  • Size: 105.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cobaltosec_condor-1.0.0.tar.gz
Algorithm Hash digest
SHA256 331728ba18f53587169e8aaba3847a00197dd793aac3d8a4dcfe78ccd0191a34
MD5 798b4358ad44ab3feeedb5bc87ac495c
BLAKE2b-256 699c5f71def8028eada6d0b5839db13cb98522e8837fde775dbf8b31c6a3030b

See more details on using hashes here.

Provenance

The following attestation bundles were made for cobaltosec_condor-1.0.0.tar.gz:

Publisher: publish.yml on CobaltoSec/condor

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cobaltosec_condor-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for cobaltosec_condor-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e1cecff34dd0380e179352c553c3a9f072adeb2b904a818408b7c0df6b45af80
MD5 161907d1175aaee5b75d4480057d03e8
BLAKE2b-256 95373d9999f7745c6903b654fd17fcdb3c90b37812b84c5215bb824290992fa3

See more details on using hashes here.

Provenance

The following attestation bundles were made for cobaltosec_condor-1.0.0-py3-none-any.whl:

Publisher: publish.yml on CobaltoSec/condor

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page