Agentic AI security scanner — OWASP ASI Top 10
Project description
Condor
Agentic AI security scanner — OWASP ASI Top 10
Condor scans agentic AI platforms for security vulnerabilities mapped to the OWASP Top 10 for Agentic Applications. It understands the semantics of each platform — enumerating chatflows, tools, vectorstores, and agent surfaces — then runs 10 specialized modules in parallel.
Against a Flowise 1.8.2 instance, Condor finds 9 findings in 3.6 seconds — 3 CRITICAL, 5 HIGH, 1 MEDIUM — all confirmed true positives mapping to published GHSAs.
Part of the CobaltoSec toolkit alongside Corvus (MCP security) and Llamascope (AI infra discovery).
Install
pip install cobaltosec-condor
Quick start
# Scan a Flowise instance
condor scan --url http://localhost:3000 --platform flowise
# JSON output for piping
condor scan --url http://localhost:3000 --platform flowise --format json --stdout | jq '.findings[].severity'
# SARIF output for GitHub Code Scanning
condor scan --url http://localhost:3000 --platform flowise --format sarif
# Authenticated scan
condor scan --url https://letta.internal --platform letta --api-key $LETTA_KEY
# Batch scan from a targets file
condor scan --targets targets.txt --platform generic --concurrency 10 --format json
# Run specific modules only
condor scan --url http://localhost:3000 --platform flowise -m privilege-abuse -m code-execution
Modules — 10 / 10 OWASP ASI
| Module | ASI | What it tests |
|---|---|---|
goal-hijack |
ASI01 | Prompt injection, jailbreaks, indirect injection via tool output |
tool-misuse |
ASI02 | Path traversal, SSRF, SSTI, credential exposure |
privilege-abuse |
ASI03 | Unauthenticated endpoints, IDOR, header bypass (CVE-2026-30820) |
supply-chain |
ASI04 | CVE detection via OSV.dev, poisoned tool descriptions |
code-execution |
ASI05 | eval/exec sinks, unauthenticated RCE endpoints |
memory-poisoning |
ASI06 | Vectorstore access without auth, adversarial injection |
inter-agent |
ASI07 | Inter-agent channels, origin forgery |
cascading-failures |
ASI08 | Rate limit bypass, task queue exposure |
trust-exploitation |
ASI09 | System prompt exposure, AI identity disclosure |
rogue-agents |
ASI10 | Unauthenticated agent/tool creation, webhook registration |
Supported platforms — 16
| Platform | --platform |
Notes |
|---|---|---|
| Flowise | flowise |
chatflows, tools, vectorstores, apikey endpoint |
| Langflow | langflow |
flows, custom component execution |
| Dify | dify |
apps, datasets, system prompt modification |
| AutoGen Studio | autogen |
tools/execute RCE surface |
| n8n | n8n |
workflows, credential endpoints |
| LlamaIndex | llamaindex |
FastAPI agent server |
| CrewAI | crewai |
FastAPI serve |
| LangGraph | langgraph |
threads, store, runs |
| Ollama | ollama |
model server, write endpoints |
| OpenAI-compatible | openai-compat |
vLLM, LocalAI, LM Studio |
| Open WebUI | openwebui |
Python function/tool creation (persistent RCE surface) |
| Hayhooks | hayhooks |
pipeline endpoints, OpenAPI spec |
| Letta | letta |
per-agent memory IDOR, /v1/tools/run RCE (GHSA-p67m-xf4h-2r78) |
| Qdrant | qdrant |
collections, snapshot SSRF |
| Chroma | chroma |
collections v1/v2, unauthenticated writes |
| Generic HTTP | generic |
OpenAPI/Swagger auto-parsing, GraphQL introspection |
Output formats
--format table # Rich terminal table (default)
--format json # Structured JSON
--format sarif # SARIF 2.1.0 — GitHub Code Scanning / SAST tooling
--format html # Self-contained HTML with dark mode and collapsible findings
--format junit # JUnit XML — Jenkins, GitLab, CircleCI
--format both # JSON + SARIF written simultaneously
--stdout # Emit JSON to stdout for piping (suppresses progress bar)
Advanced usage
# Suppress known-good findings with a baseline
condor scan --url http://localhost:3000 --platform flowise --save-baseline baseline.json
condor scan --url http://localhost:3000 --platform flowise --baseline baseline.json
# Route through Burp Suite
condor scan --url http://localhost:3000 --platform flowise \
--proxy http://127.0.0.1:8080 --insecure
# Only report HIGH and above
condor scan --url http://localhost:3000 --platform flowise --min-severity high
# Load defaults from a config file
condor scan --config condor.yaml
# Scaffold a new module
condor scaffold --name my-check --asi 03
GitHub Actions
- uses: CobaltoSec/condor/.github/actions/condor-scan@v1
with:
url: ${{ env.STAGING_URL }}
platform: flowise
format: sarif
fail-on: critical
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: condor-results/report.sarif
Integrations
# Slack / Teams notifications
condor scan --url http://localhost:3000 --platform flowise \
--notify-slack $SLACK_WEBHOOK_URL
# DefectDojo export
condor scan --url http://localhost:3000 --platform flowise \
--defectdojo-url https://defectdojo.internal \
--defectdojo-token $DD_TOKEN \
--defectdojo-product "AI Platform Audit"
Plugin system
Third-party modules and platform adapters are auto-discovered via importlib.metadata entry points:
# pyproject.toml of your plugin package
[project.entry-points."condor.modules"]
my-check = "my_package.modules:MyCheckModule"
[project.entry-points."condor.platforms"]
my-platform = "my_package.platforms:MyPlatform"
Compliance
Every finding includes references to ISO/IEC 42001, NIST AI RMF, and EU AI Act. CWE IDs are included in SARIF output for integration with SAST tooling.
Responsible Disclosure
Findings discovered by Condor are reported under the CobaltoSec Responsible Disclosure Policy. Vendors are notified privately via GitHub Security Advisory before any public disclosure.
License
MIT © CobaltoSec
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cobaltosec_condor-1.0.0.tar.gz.
File metadata
- Download URL: cobaltosec_condor-1.0.0.tar.gz
- Upload date:
- Size: 105.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
331728ba18f53587169e8aaba3847a00197dd793aac3d8a4dcfe78ccd0191a34
|
|
| MD5 |
798b4358ad44ab3feeedb5bc87ac495c
|
|
| BLAKE2b-256 |
699c5f71def8028eada6d0b5839db13cb98522e8837fde775dbf8b31c6a3030b
|
Provenance
The following attestation bundles were made for cobaltosec_condor-1.0.0.tar.gz:
Publisher:
publish.yml on CobaltoSec/condor
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cobaltosec_condor-1.0.0.tar.gz -
Subject digest:
331728ba18f53587169e8aaba3847a00197dd793aac3d8a4dcfe78ccd0191a34 - Sigstore transparency entry: 2138258661
- Sigstore integration time:
-
Permalink:
CobaltoSec/condor@c3991d8d853086ea29b5bc4a996ed17f8a516332 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/CobaltoSec
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@c3991d8d853086ea29b5bc4a996ed17f8a516332 -
Trigger Event:
push
-
Statement type:
File details
Details for the file cobaltosec_condor-1.0.0-py3-none-any.whl.
File metadata
- Download URL: cobaltosec_condor-1.0.0-py3-none-any.whl
- Upload date:
- Size: 83.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e1cecff34dd0380e179352c553c3a9f072adeb2b904a818408b7c0df6b45af80
|
|
| MD5 |
161907d1175aaee5b75d4480057d03e8
|
|
| BLAKE2b-256 |
95373d9999f7745c6903b654fd17fcdb3c90b37812b84c5215bb824290992fa3
|
Provenance
The following attestation bundles were made for cobaltosec_condor-1.0.0-py3-none-any.whl:
Publisher:
publish.yml on CobaltoSec/condor
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cobaltosec_condor-1.0.0-py3-none-any.whl -
Subject digest:
e1cecff34dd0380e179352c553c3a9f072adeb2b904a818408b7c0df6b45af80 - Sigstore transparency entry: 2138258676
- Sigstore integration time:
-
Permalink:
CobaltoSec/condor@c3991d8d853086ea29b5bc4a996ed17f8a516332 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/CobaltoSec
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@c3991d8d853086ea29b5bc4a996ed17f8a516332 -
Trigger Event:
push
-
Statement type: