vectimus-base-001 7 rules
Block recursive deletion of root, home or current directory
shell_command base
SOC2-CC6.1EU-AI-15
Incident: Home directory deletion via rm -rf reported in Claude Code sessions, 2025
Alternative: Delete specific files or directories by name instead of using broad recursive deletion.
@id("vectimus-base-001")
@description("Block recursive deletion of root, home or current directory")
@incident("Home directory deletion via rm -rf reported in Claude Code sessions, 2025")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Delete specific files or directories by name instead of using broad recursive deletion.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*rm -rf /*" ||
context.command like "*rm -rf ~*" ||
context.command like "*rm -rf .*" ||
// Windows cmd
context.command like "*rd /s /q*" ||
context.command like "*rmdir /s /q*" ||
context.command like "*del /f /s /q*" ||
// Windows PowerShell
context.command like "*Remove-Item*-Recurse*-Force*"
};
Click to expand
vectimus-base-002 4 rules
Block disk destruction via mkfs or dd zeroing
shell_command base
SOC2-CC6.1EU-AI-15
Incident: Accidental mkfs on production volume, various incident reports 2023-2025
Alternative: Use file-level operations instead of raw disk commands. Request human approval for disk formatting.
@id("vectimus-base-002")
@description("Block disk destruction via mkfs or dd zeroing")
@incident("Accidental mkfs on production volume, various incident reports 2023-2025")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Use file-level operations instead of raw disk commands. Request human approval for disk formatting.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*mkfs*" ||
context.command like "*dd if=/dev/zero*" ||
// Windows
context.command like "*format*/fs:*" ||
context.command like "*diskpart*clean*"
};
Click to expand
Block fork bomb execution
shell_command base
SOC2-CC6.1EU-AI-15
Incident: Fork bomb denial-of-service used to crash developer workstations, various reports
Alternative: This command is a fork bomb and has no safe alternative. It should never be executed.
@id("vectimus-base-003")
@description("Block fork bomb execution")
@incident("Fork bomb denial-of-service used to crash developer workstations, various reports")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("This command is a fork bomb and has no safe alternative. It should never be executed.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*:(){ :|:*"
};
Click to expand
vectimus-base-004 4 rules
Block recursive chmod 777 on root filesystem
shell_command base
SOC2-CC6.1EU-AI-15
Incident: chmod 777 / rendered Linux servers unbootable, multiple sysadmin post-mortems
Alternative: Set permissions on specific files with appropriate modes (e.g. chmod 644 for files, 755 for directories).
@id("vectimus-base-004")
@description("Block recursive chmod 777 on root filesystem")
@incident("chmod 777 / rendered Linux servers unbootable, multiple sysadmin post-mortems")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Set permissions on specific files with appropriate modes (e.g. chmod 644 for files, 755 for directories).")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*chmod -R 777 /*" ||
// Windows -- grant full control to Everyone recursively
context.command like "*icacls*Everyone:F*/T*" ||
context.command like "*icacls*Everyone:(OI)(CI)F*" ||
context.command like "*cacls*Everyone:F*"
};
Click to expand
vectimus-base-005 4 rules
Block disk overwrite via redirect to block device
shell_command base
SOC2-CC6.1EU-AI-15
Incident: Redirect to /dev/sda destroyed partition tables, data recovery incident reports
Alternative: Use file-level operations instead of writing directly to block devices.
@id("vectimus-base-005")
@description("Block disk overwrite via redirect to block device")
@incident("Redirect to /dev/sda destroyed partition tables, data recovery incident reports")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Use file-level operations instead of writing directly to block devices.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*> /dev/sda*" ||
// Windows -- raw disk writes
context.command like "*> \\\\.\\PhysicalDrive*" ||
context.command like "*diskpart*" ||
context.command like "*Clear-Disk*"
};
Click to expand
vectimus-base-006 27 rules
Block remote code execution via curl/wget piped to shell
shell_command base
SOC2-CC6.6SOC2-CC6.8NIST-AI-MG-3.2EU-AI-15
Incident: Supply-chain attacks via curl|sh pattern, Clinejection February 2026
Alternative: Download the script to a file first, review its contents, then execute it after inspection.
@id("vectimus-base-006")
@description("Block remote code execution via curl/wget piped to shell")
@incident("Supply-chain attacks via curl|sh pattern, Clinejection February 2026")
@controls("SOC2-CC6.6, SOC2-CC6.8, NIST-AI-MG-3.2, EU-AI-15")
@suggested_alternative("Download the script to a file first, review its contents, then execute it after inspection.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*curl*| sh" ||
context.command like "*curl*| sh *" ||
context.command like "*curl*| sh;*" ||
context.command like "*curl*|sh" ||
context.command like "*curl*|sh *" ||
context.command like "*curl*|sh;*" ||
context.command like "*curl*| /bin/sh*" ||
context.command like "*curl*|/bin/sh*" ||
context.command like "*curl*| bash*" ||
context.command like "*curl*|bash*" ||
context.command like "*wget*| sh" ||
context.command like "*wget*| sh *" ||
context.command like "*wget*| sh;*" ||
context.command like "*wget*|sh" ||
context.command like "*wget*|sh *" ||
context.command like "*wget*|sh;*" ||
context.command like "*wget*| /bin/sh*" ||
context.command like "*wget*|/bin/sh*" ||
context.command like "*wget*| bash*" ||
context.command like "*wget*|bash*" ||
// Windows PowerShell -- download and execute patterns
context.command like "*Invoke-WebRequest*|*Invoke-Expression*" ||
context.command like "*Invoke-WebRequest*| iex*" ||
context.command like "*iwr*|*iex*" ||
context.command like "*IEX*(New-Object*Net.WebClient)*DownloadString*" ||
context.command like "*Invoke-Expression*(New-Object*Net.WebClient)*" ||
// Windows cmd -- certutil download-execute
context.command like "*certutil*-urlcache*" ||
context.command like "*bitsadmin*/transfer*"
};
Click to expand
Block terraform destroy without explicit approval
infrastructure base
SOC2-CC6.1EU-AI-14
Incident: Terraform destroy on production infrastructure, 2025
Alternative: Use terraform plan to preview changes, then request human approval for destructive operations.
@id("vectimus-base-007")
@description("Block terraform destroy without explicit approval")
@incident("Terraform destroy on production infrastructure, 2025")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Use terraform plan to preview changes, then request human approval for destructive operations.")
forbid (
principal,
action == Vectimus::Action::"infrastructure",
resource
) when {
context.command like "*terraform destroy*"
};
Click to expand
Block terraform apply with auto-approve flag
infrastructure base
SOC2-CC6.1EU-AI-14
Incident: Unreviewed terraform apply auto-approved production changes, 2025
Alternative: Use terraform plan first, then terraform apply without -auto-approve so changes can be reviewed.
@id("vectimus-base-008")
@description("Block terraform apply with auto-approve flag")
@incident("Unreviewed terraform apply auto-approved production changes, 2025")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Use terraform plan first, then terraform apply without -auto-approve so changes can be reviewed.")
forbid (
principal,
action == Vectimus::Action::"infrastructure",
resource
) when {
context.command like "*terraform apply*-auto-approve*"
};
Click to expand
Block kubectl delete namespace to prevent accidental cluster damage
infrastructure base
SOC2-CC6.1EU-AI-14
Incident: kubectl delete namespace wiped production services, Kubernetes incident postmortem 2024
Alternative: Delete individual resources within the namespace instead, or request human approval for namespace deletion.
@id("vectimus-base-009")
@description("Block kubectl delete namespace to prevent accidental cluster damage")
@incident("kubectl delete namespace wiped production services, Kubernetes incident postmortem 2024")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Delete individual resources within the namespace instead, or request human approval for namespace deletion.")
forbid (
principal,
action == Vectimus::Action::"infrastructure",
resource
) when {
context.command like "*kubectl delete namespace*"
};
Click to expand
Block forced deletion of S3 buckets
infrastructure base
SOC2-CC6.1EU-AI-14
Incident: Accidental S3 bucket deletion caused data loss, AWS incident reports 2023-2025
Alternative: Empty the bucket contents first with aws s3 rm, then delete the bucket without --force after human review.
@id("vectimus-base-010")
@description("Block forced deletion of S3 buckets")
@incident("Accidental S3 bucket deletion caused data loss, AWS incident reports 2023-2025")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Empty the bucket contents first with aws s3 rm, then delete the bucket without --force after human review.")
forbid (
principal,
action == Vectimus::Action::"infrastructure",
resource
) when {
context.command like "*aws s3 rb*--force*"
};
Click to expand
vectimus-base-011 2 rules
Block reading .env files that commonly contain secrets
file_read base
SOC2-CC6.1CIS-16EU-AI-15
Incident: AI agent exfiltrated API keys from .env files, prompt injection attack reports 2025
Alternative: Use environment variables directly or read a .env.example file for configuration structure.
@id("vectimus-base-011")
@description("Block reading .env files that commonly contain secrets")
@incident("AI agent exfiltrated API keys from .env files, prompt injection attack reports 2025")
@controls("SOC2-CC6.1, CIS-16, EU-AI-15")
@suggested_alternative("Use environment variables directly or read a .env.example file for configuration structure.")
forbid (
principal,
action == Vectimus::Action::"file_read",
resource
) when {
context.file_path like "*.env" ||
context.file_path like "*.env.*"
};
Click to expand
vectimus-base-011-infra 1 rule
Block docker rm -f on running containers
infrastructure base
SOC2-CC6.1
Incident: Force-removed production containers caused service outage, Docker incident reports
Alternative: Use docker stop to gracefully stop the container first, then docker rm to remove it.
@id("vectimus-base-011-infra")
@description("Block docker rm -f on running containers")
@incident("Force-removed production containers caused service outage, Docker incident reports")
@controls("SOC2-CC6.1")
@suggested_alternative("Use docker stop to gracefully stop the container first, then docker rm to remove it.")
forbid (
principal,
action == Vectimus::Action::"infrastructure",
resource
) when {
context.command like "*docker rm -f*"
};
Click to expand
vectimus-base-012 3 rules
Block reading SSH keys, AWS credentials and npmrc tokens
file_read base
SOC2-CC6.1EU-AI-15
Incident: Agent read ~/.ssh/id_rsa and included contents in code comment, credential leak report 2025
Alternative: Use the relevant CLI tool (ssh, aws, npm) to perform operations instead of reading credential files directly.
@id("vectimus-base-012")
@description("Block reading SSH keys, AWS credentials and npmrc tokens")
@incident("Agent read ~/.ssh/id_rsa and included contents in code comment, credential leak report 2025")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Use the relevant CLI tool (ssh, aws, npm) to perform operations instead of reading credential files directly.")
forbid (
principal,
action == Vectimus::Action::"file_read",
resource
) when {
context.file_path like "*.ssh/*" ||
context.file_path like "*.aws/*" ||
context.file_path like "*.npmrc"
};
Click to expand
vectimus-base-013 6 rules
Block reading files in secrets directories or credential/token config files
file_read base
SOC2-CC6.1EU-AI-15
Incident: Agents read secret-named config files and logged contents to audit trails, 2025
Alternative: Access secrets through a secrets manager or environment variables instead of reading secret files directly.
@id("vectimus-base-013")
@description("Block reading files in secrets directories or credential/token config files")
@incident("Agents read secret-named config files and logged contents to audit trails, 2025")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Access secrets through a secrets manager or environment variables instead of reading secret files directly.")
forbid (
principal,
action == Vectimus::Action::"file_read",
resource
) when {
context.file_path like "*/secrets/*" ||
context.file_path like "*/.secrets/*" ||
context.file_path like "*credentials.json" ||
context.file_path like "*credentials.yaml" ||
context.file_path like "*/token" ||
context.file_path like "*/token.json"
};
Click to expand
vectimus-base-014 11 rules
Block shell commands that cat private keys
shell_command base
SOC2-CC6.1EU-AI-15
Incident: Agent ran cat ~/.ssh/id_rsa and embedded key in output, credential exposure report 2025
Alternative: Use ssh-agent or the relevant CLI tool to work with keys. Do not read private keys directly.
@id("vectimus-base-014")
@description("Block shell commands that cat private keys")
@incident("Agent ran cat ~/.ssh/id_rsa and embedded key in output, credential exposure report 2025")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Use ssh-agent or the relevant CLI tool to work with keys. Do not read private keys directly.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*cat*/.ssh/*" ||
context.command like "*cat*.pem*" ||
context.command like "*cat*.key*" ||
// Windows cmd
context.command like "*type*\\.ssh\\*" ||
context.command like "*type*.pem*" ||
context.command like "*type*.key*" ||
// Windows PowerShell
context.command like "*Get-Content*\\.ssh\\*" ||
context.command like "*Get-Content*.pem*" ||
context.command like "*Get-Content*.key*" ||
context.command like "*gc *\\.ssh\\*" ||
context.command like "*gc *.pem*"
};
Click to expand
Block npm publish to prevent supply-chain attacks
package_operation base
SLSA-L2SOC2-CC6.8NIST-AI-MG-3.2EU-AI-15
Incident: Clinejection: malicious npm packages published by compromised AI agent, February 2026
Alternative: Use npm pack to create a tarball for review, then request human approval before publishing.
@id("vectimus-base-015")
@description("Block npm publish to prevent supply-chain attacks")
@incident("Clinejection: malicious npm packages published by compromised AI agent, February 2026")
@controls("SLSA-L2, SOC2-CC6.8, NIST-AI-MG-3.2, EU-AI-15")
@suggested_alternative("Use npm pack to create a tarball for review, then request human approval before publishing.")
forbid (
principal,
action == Vectimus::Action::"package_operation",
resource
) when {
context.command like "*npm publish*"
};
Click to expand
vectimus-base-016 2 rules
Block pip install from non-standard indexes
package_operation base
SLSA-L2SOC2-CC6.8NIST-AI-MG-3.2EU-AI-15
Incident: Dependency confusion attacks via private index spoofing, 2024-2026
Alternative: Install packages from the default PyPI index, or request human approval for custom indexes.
@id("vectimus-base-016")
@description("Block pip install from non-standard indexes")
@incident("Dependency confusion attacks via private index spoofing, 2024-2026")
@controls("SLSA-L2, SOC2-CC6.8, NIST-AI-MG-3.2, EU-AI-15")
@suggested_alternative("Install packages from the default PyPI index, or request human approval for custom indexes.")
forbid (
principal,
action == Vectimus::Action::"package_operation",
resource
) when {
context.command like "*pip install*--index-url*" ||
context.command like "*pip install*-i *"
};
Click to expand
vectimus-base-016b 1 rule
Block npm install with URL sources instead of registry packages
package_operation base
SLSA-L2SOC2-CC6.8EU-AI-15
Incident: Trojanised packages installed via direct URL bypassing registry checks, 2025
Alternative: Install packages from the npm registry by name instead of using direct URLs.
@id("vectimus-base-016b")
@description("Block npm install with URL sources instead of registry packages")
@incident("Trojanised packages installed via direct URL bypassing registry checks, 2025")
@controls("SLSA-L2, SOC2-CC6.8, EU-AI-15")
@suggested_alternative("Install packages from the npm registry by name instead of using direct URLs.")
forbid (
principal,
action == Vectimus::Action::"package_operation",
resource
) when {
context.command like "*npm install http:*"
};
Click to expand
vectimus-base-016c 1 rule
Block global npm installs which affect the system-wide environment
package_operation base
SOC2-CC6.8EU-AI-15
Incident: Global npm install of compromised package affected all projects on developer machine, 2025
Alternative: Install packages locally to the project with npm install (no -g flag) to limit blast radius.
@id("vectimus-base-016c")
@description("Block global npm installs which affect the system-wide environment")
@incident("Global npm install of compromised package affected all projects on developer machine, 2025")
@controls("SOC2-CC6.8, EU-AI-15")
@suggested_alternative("Install packages locally to the project with npm install (no -g flag) to limit blast radius.")
forbid (
principal,
action == Vectimus::Action::"package_operation",
resource
) when {
context.command like "*npm install -g*"
};
Click to expand
vectimus-base-017 6 rules
Block force push to main, master or production branches
git_operation base
SOC2-CC8.1
Incident: Force push to main overwrote 3 days of team commits, 2025
Alternative: Use git push --force-with-lease for safer force pushes, or push to a feature branch and create a pull request.
@id("vectimus-base-017")
@description("Block force push to main, master or production branches")
@incident("Force push to main overwrote 3 days of team commits, 2025")
@controls("SOC2-CC8.1")
@suggested_alternative("Use git push --force-with-lease for safer force pushes, or push to a feature branch and create a pull request.")
forbid (
principal,
action == Vectimus::Action::"git_operation",
resource
) when {
context.command like "*git push*--force*main*" ||
context.command like "*git push*--force*master*" ||
context.command like "*git push*--force*production*" ||
context.command like "*git push*-f*main*" ||
context.command like "*git push*-f*master*" ||
context.command like "*git push*-f*production*"
};
Click to expand
Block git reset --hard which discards uncommitted work
git_operation base
SOC2-CC8.1
Incident: Agent ran git reset --hard and destroyed hours of uncommitted developer work, 2025
Alternative: Use git stash to save changes, or git reset --soft to keep changes staged, or git revert for a safe undo.
@id("vectimus-base-018")
@description("Block git reset --hard which discards uncommitted work")
@incident("Agent ran git reset --hard and destroyed hours of uncommitted developer work, 2025")
@controls("SOC2-CC8.1")
@suggested_alternative("Use git stash to save changes, or git reset --soft to keep changes staged, or git revert for a safe undo.")
forbid (
principal,
action == Vectimus::Action::"git_operation",
resource
) when {
context.command like "*git reset --hard*"
};
Click to expand
vectimus-base-018b 1 rule
Block git clean -f which permanently deletes untracked files
git_operation base
SOC2-CC8.1
Incident: git clean -f deleted uncommitted test fixtures and local config, developer incident reports
Alternative: Use git clean -n (dry run) to preview what would be deleted, then request human approval.
@id("vectimus-base-018b")
@description("Block git clean -f which permanently deletes untracked files")
@incident("git clean -f deleted uncommitted test fixtures and local config, developer incident reports")
@controls("SOC2-CC8.1")
@suggested_alternative("Use git clean -n (dry run) to preview what would be deleted, then request human approval.")
forbid (
principal,
action == Vectimus::Action::"git_operation",
resource
) when {
context.command like "*git clean*-f*"
};
Click to expand
Block writes to GitHub Actions workflow files
file_write base
SLSA-L2SOC2-CC8.1
Incident: CI/CD pipeline injection via modified workflow file, BrowseComp evaluation 2026
Alternative: Propose workflow changes via a pull request for human review before modifying CI/CD pipelines.
@id("vectimus-base-019")
@description("Block writes to GitHub Actions workflow files")
@incident("CI/CD pipeline injection via modified workflow file, BrowseComp evaluation 2026")
@controls("SLSA-L2, SOC2-CC8.1")
@suggested_alternative("Propose workflow changes via a pull request for human review before modifying CI/CD pipelines.")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*.github/workflows/*"
};
Click to expand
vectimus-base-020 3 rules
Block writes to certificate and private key files
file_write base
SOC2-CC6.1EU-AI-15
Incident: Agent overwrote TLS certificate causing service outage, incident report 2025
Alternative: Use a certificate management tool or request human approval before writing key/certificate files.
@id("vectimus-base-020")
@description("Block writes to certificate and private key files")
@incident("Agent overwrote TLS certificate causing service outage, incident report 2025")
@controls("SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Use a certificate management tool or request human approval before writing key/certificate files.")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*.pem" ||
context.file_path like "*.key" ||
context.file_path like "*.cert"
};
Click to expand
vectimus-base-020b 6 rules
Block writes to governance config files to prevent policy bypass
file_write base
SOC2-CC6.1EU-AI-14
Incident: Agent modified .claude/settings.json to disable safety hooks, prompt injection attack 2026
Alternative: Governance configuration must be changed by a human administrator, not by an agent.
@id("vectimus-base-020b")
@description("Block writes to governance config files to prevent policy bypass")
@incident("Agent modified .claude/settings.json to disable safety hooks, prompt injection attack 2026")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Governance configuration must be changed by a human administrator, not by an agent.")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*.claude/settings.json" ||
context.file_path like "*.cursor/hooks.json" ||
context.file_path like "*.cursor/mcp.json" ||
context.file_path like "*.claude/mcp.json" ||
context.file_path like "*.vscode/settings.json" ||
context.file_path like "*.vscode/tasks.json"
};
Click to expand
vectimus-base-020c 2 rules
Block writes to Dockerfile and docker-compose in production contexts
file_write base
SOC2-CC8.1EU-AI-15
Incident: Modified Dockerfile in production introduced cryptominer, container security report 2025
Alternative: Propose Dockerfile changes via a pull request. Production container configs require human review.
@id("vectimus-base-020c")
@description("Block writes to Dockerfile and docker-compose in production contexts")
@incident("Modified Dockerfile in production introduced cryptominer, container security report 2025")
@controls("SOC2-CC8.1, EU-AI-15")
@suggested_alternative("Propose Dockerfile changes via a pull request. Production container configs require human review.")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*prod*Dockerfile*" ||
context.file_path like "*prod*docker-compose*"
};
Click to expand
vectimus-base-020d 1 rule
Block writes to .git directory to prevent repository corruption
file_write base
SOC2-CC8.1
Incident: Agent corrupted git objects by writing directly to .git directory, 2025
Alternative: Use git commands to manage the repository instead of writing to .git directory directly.
@id("vectimus-base-020d")
@description("Block writes to .git directory to prevent repository corruption")
@incident("Agent corrupted git objects by writing directly to .git directory, 2025")
@controls("SOC2-CC8.1")
@suggested_alternative("Use git commands to manage the repository instead of writing to .git directory directly.")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*/.git/*"
};
Click to expand
vectimus-base-021 6 rules
Block agents from running vectimus CLI commands to prevent governance bypass
shell_command base
SOC2-CC6.1EU-AI-14
Incident: Agent attempted to disable its own governance rules after receiving deny response, 2026
Alternative: Vectimus configuration must be changed by a human administrator. Do not attempt to modify governance settings.
@id("vectimus-base-021")
@description("Block agents from running vectimus CLI commands to prevent governance bypass")
@incident("Agent attempted to disable its own governance rules after receiving deny response, 2026")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Vectimus configuration must be changed by a human administrator. Do not attempt to modify governance settings.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "vectimus *" ||
context.command like "*vectimus rule*" ||
context.command like "*vectimus pack*" ||
context.command like "*vectimus init*" ||
context.command like "*python -m vectimus*" ||
context.command like "*python3 -m vectimus*"
};
Click to expand
vectimus-base-030 0 rules
Block MCP tool calls to servers not on the approved list
mcp_tool base
OWASP-ASI02SOC2-CC6.1NIST-AI-MG-3.2EU-AI-15
Incident: Clinejection: agent communicated with malicious MCP server that instructed it to publish backdoored packages, February 2026
Alternative: Add the MCP server to your approved list with: vectimus mcp allow <server-name>
@id("vectimus-base-030")
@description("Block MCP tool calls to servers not on the approved list")
@incident("Clinejection: agent communicated with malicious MCP server that instructed it to publish backdoored packages, February 2026")
@controls("OWASP-ASI02, SOC2-CC6.1, NIST-AI-MG-3.2, EU-AI-15")
@suggested_alternative("Add the MCP server to your approved list with: vectimus mcp allow <server-name>")
forbid (
principal,
action == Vectimus::Action::"mcp_tool",
resource
) when {
// Default: block all MCP servers. When you run
// 'vectimus mcp allow <server>', the loader rewrites this rule
// at load time with an 'unless' clause for your approved servers.
true
};
Click to expand
vectimus-base-031 4 rules
Block MCP tools that execute arbitrary shell commands on the server
mcp_tool base
OWASP-ASI02SOC2-CC6.1
Incident: Compromised MCP server exposed run_command tool used to pivot into internal network, 2026
Alternative: Do not approve MCP servers that expose arbitrary command execution. Use purpose-built tools instead.
@id("vectimus-base-031")
@description("Block MCP tools that execute arbitrary shell commands on the server")
@incident("Compromised MCP server exposed run_command tool used to pivot into internal network, 2026")
@controls("OWASP-ASI02, SOC2-CC6.1")
@suggested_alternative("Do not approve MCP servers that expose arbitrary command execution. Use purpose-built tools instead.")
forbid (
principal,
action == Vectimus::Action::"mcp_tool",
resource
) when {
context.mcp_tool like "*run_command*" ||
context.mcp_tool like "*execute*" ||
context.mcp_tool like "*shell*" ||
context.mcp_tool like "*exec*"
};
// ---------------------------------------------------------------------------
// Input parameter inspection (defence in depth)
//
// These rules check the input parameters the agent passes to MCP tools.
// They catch cases where tool inputs contain recognisable sensitive paths
// or dangerous commands. They cannot catch tools that do sensitive things
// without exposing it in their input schema.
// ---------------------------------------------------------------------------
Click to expand
vectimus-base-032 8 rules
Block MCP tool calls whose inputs reference credential or secret paths
mcp_tool base
OWASP-ASI02SOC2-CC6.1NIST-AI-MG-3.2EU-AI-15
Incident: Clinejection: agent passed credential file paths to malicious MCP tool, February 2026
Alternative: Access secrets through environment variables or a secrets manager, not via MCP tool inputs.
@id("vectimus-base-032")
@description("Block MCP tool calls whose inputs reference credential or secret paths")
@incident("Clinejection: agent passed credential file paths to malicious MCP tool, February 2026")
@controls("OWASP-ASI02, SOC2-CC6.1, NIST-AI-MG-3.2, EU-AI-15")
@suggested_alternative("Access secrets through environment variables or a secrets manager, not via MCP tool inputs.")
forbid (
principal,
action == Vectimus::Action::"mcp_tool",
resource
) when {
context.file_path like "*/.ssh/*" ||
context.file_path like "*/.aws/*" ||
context.file_path like "*.env" ||
context.file_path like "*.env.*" ||
context.file_path like "*credentials.json" ||
context.file_path like "*/.npmrc" ||
context.file_path like "*/secrets/*" ||
context.file_path like "*token.json"
};
Click to expand
vectimus-base-033 4 rules
Block MCP tool calls whose inputs reference private key files
mcp_tool base
OWASP-ASI02SOC2-CC6.1EU-AI-15
Incident: Agent passed SSH private key path to MCP tool which exfiltrated key contents, 2026
Alternative: Use ssh-agent or the relevant CLI tool to work with keys. Do not pass key file paths to MCP tools.
@id("vectimus-base-033")
@description("Block MCP tool calls whose inputs reference private key files")
@incident("Agent passed SSH private key path to MCP tool which exfiltrated key contents, 2026")
@controls("OWASP-ASI02, SOC2-CC6.1, EU-AI-15")
@suggested_alternative("Use ssh-agent or the relevant CLI tool to work with keys. Do not pass key file paths to MCP tools.")
forbid (
principal,
action == Vectimus::Action::"mcp_tool",
resource
) when {
context.file_path like "*.pem" ||
context.file_path like "*.key" ||
context.file_path like "*id_rsa*" ||
context.file_path like "*id_ed25519*"
};
Click to expand
vectimus-base-034 4 rules
Block MCP tool calls whose inputs reference CI/CD pipeline files
mcp_tool base
OWASP-ASI02SLSA-L2SOC2-CC8.1
Incident: Agent asked MCP tool to modify GitHub Actions workflow, injecting malicious build step, 2026
Alternative: Propose CI/CD changes via a pull request for human review. Do not pass pipeline paths to MCP tools.
@id("vectimus-base-034")
@description("Block MCP tool calls whose inputs reference CI/CD pipeline files")
@incident("Agent asked MCP tool to modify GitHub Actions workflow, injecting malicious build step, 2026")
@controls("OWASP-ASI02, SLSA-L2, SOC2-CC8.1")
@suggested_alternative("Propose CI/CD changes via a pull request for human review. Do not pass pipeline paths to MCP tools.")
forbid (
principal,
action == Vectimus::Action::"mcp_tool",
resource
) when {
context.file_path like "*.github/workflows/*" ||
context.file_path like "*.gitlab-ci.yml" ||
context.file_path like "*Jenkinsfile*" ||
context.file_path like "*.circleci/*"
};
Click to expand
vectimus-base-035 19 rules
Block MCP tool calls whose inputs contain dangerous shell commands
mcp_tool base
OWASP-ASI02SLSA-L2SOC2-CC6.8
Incident: Agent passed npm publish command to MCP tool, publishing backdoored package, Clinejection February 2026
Alternative: Package operations and remote code execution must be done directly by the developer, not via MCP tools.
@id("vectimus-base-035")
@description("Block MCP tool calls whose inputs contain dangerous shell commands")
@incident("Agent passed npm publish command to MCP tool, publishing backdoored package, Clinejection February 2026")
@controls("OWASP-ASI02, SLSA-L2, SOC2-CC6.8")
@suggested_alternative("Package operations and remote code execution must be done directly by the developer, not via MCP tools.")
forbid (
principal,
action == Vectimus::Action::"mcp_tool",
resource
) when {
context.command like "*npm publish*" ||
context.command like "*npm install -g*" ||
context.command like "*pip install*--index-url*" ||
context.command like "*curl*| sh" ||
context.command like "*curl*| sh *" ||
context.command like "*curl*| sh;*" ||
context.command like "*curl*|sh" ||
context.command like "*curl*|sh *" ||
context.command like "*curl*|sh;*" ||
context.command like "*curl*| /bin/sh*" ||
context.command like "*curl*|/bin/sh*" ||
context.command like "*curl*| bash*" ||
context.command like "*curl*|bash*" ||
context.command like "*terraform destroy*" ||
context.command like "*rm -rf*" ||
// Windows destructive patterns
context.command like "*rd /s /q*" ||
context.command like "*rmdir /s /q*" ||
context.command like "*del /f /s /q*" ||
context.command like "*Remove-Item*-Recurse*-Force*"
};
Click to expand
vectimus-base-036 3 rules
Block MCP tool calls whose inputs reference governance configuration files
mcp_tool base
OWASP-ASI02SOC2-CC6.1EU-AI-14
Incident: Agent asked MCP tool to overwrite .claude/settings.json, disabling safety hooks, 2026
Alternative: Governance configuration must be changed by a human administrator, not via MCP tools.
@id("vectimus-base-036")
@description("Block MCP tool calls whose inputs reference governance configuration files")
@incident("Agent asked MCP tool to overwrite .claude/settings.json, disabling safety hooks, 2026")
@controls("OWASP-ASI02, SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Governance configuration must be changed by a human administrator, not via MCP tools.")
forbid (
principal,
action == Vectimus::Action::"mcp_tool",
resource
) when {
context.file_path like "*.claude/settings.json" ||
context.file_path like "*.cursor/hooks.json" ||
context.file_path like "*.vectimus/*"
};
Click to expand
vectimus-base-040 2 rules
Block drizzle-kit operations with --force flag or drop command that bypass safety confirmation
shell_command base
SOC2-CC6.1EU-AI-14
Incident: Claude Code drizzle-kit --force destroyed 60+ production tables on Railway, February 2026
Alternative: Run drizzle-kit push without --force so the interactive confirmation can protect against destructive changes.
@id("vectimus-base-040")
@description("Block drizzle-kit operations with --force flag or drop command that bypass safety confirmation")
@incident("Claude Code drizzle-kit --force destroyed 60+ production tables on Railway, February 2026")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Run drizzle-kit push without --force so the interactive confirmation can protect against destructive changes.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*drizzle-kit push*--force*" ||
context.command like "*drizzle-kit drop*"
};
Click to expand
vectimus-base-041 3 rules
Block prisma operations with --accept-data-loss or destructive reset/execute commands
shell_command base
SOC2-CC6.1EU-AI-14
Incident: Claude Code prisma --accept-data-loss destroyed production database, December 2025
Alternative: Run prisma db push without --accept-data-loss. Use prisma migrate dev for safe migrations. Avoid prisma migrate reset in production.
@id("vectimus-base-041")
@description("Block prisma operations with --accept-data-loss or destructive reset/execute commands")
@incident("Claude Code prisma --accept-data-loss destroyed production database, December 2025")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Run prisma db push without --accept-data-loss. Use prisma migrate dev for safe migrations. Avoid prisma migrate reset in production.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*prisma db push*--accept-data-loss*" ||
context.command like "*prisma migrate reset*" ||
context.command like "*prisma db execute*"
};
Click to expand
Block knex migrate:rollback --all which destroys all migration state
shell_command base
SOC2-CC6.1EU-AI-14
Incident: ORM destructive flag pattern identified in agent safety bypass analysis
Alternative: Roll back migrations one at a time with knex migrate:rollback (without --all) and verify each step.
@id("vectimus-base-042")
@description("Block knex migrate:rollback --all which destroys all migration state")
@incident("ORM destructive flag pattern identified in agent safety bypass analysis")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Roll back migrations one at a time with knex migrate:rollback (without --all) and verify each step.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*knex migrate:rollback*--all*"
};
Click to expand
vectimus-base-043 2 rules
Block sequelize database drop and full migration undo commands
shell_command base
SOC2-CC6.1EU-AI-14
Incident: ORM destructive flag pattern identified in agent safety bypass analysis
Alternative: Undo migrations one at a time with sequelize db:migrate:undo. Database drops require human approval.
@id("vectimus-base-043")
@description("Block sequelize database drop and full migration undo commands")
@incident("ORM destructive flag pattern identified in agent safety bypass analysis")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Undo migrations one at a time with sequelize db:migrate:undo. Database drops require human approval.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*sequelize db:drop*" ||
context.command like "*sequelize db:migrate:undo:all*"
};
Click to expand
vectimus-base-044 6 rules
Block Rails database drop, reset and schema:load commands
shell_command base
SOC2-CC6.1EU-AI-14
Incident: ORM destructive flag pattern identified in agent safety bypass analysis
Alternative: Use rails db:migrate for safe incremental changes. Database drops and resets require human approval.
@id("vectimus-base-044")
@description("Block Rails database drop, reset and schema:load commands")
@incident("ORM destructive flag pattern identified in agent safety bypass analysis")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Use rails db:migrate for safe incremental changes. Database drops and resets require human approval.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*rails db:drop*" ||
context.command like "*rails db:reset*" ||
context.command like "*rails db:schema:load*" ||
context.command like "*rake db:drop*" ||
context.command like "*rake db:reset*" ||
context.command like "*rake db:schema:load*"
};
Click to expand
vectimus-base-045 2 rules
Block Django flush with --no-input flag that bypasses confirmation
shell_command base
SOC2-CC6.1EU-AI-14
Incident: ORM destructive flag pattern identified in agent safety bypass analysis
Alternative: Run manage.py flush without --no-input so the interactive confirmation prompt can protect against data loss.
@id("vectimus-base-045")
@description("Block Django flush with --no-input flag that bypasses confirmation")
@incident("ORM destructive flag pattern identified in agent safety bypass analysis")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Run manage.py flush without --no-input so the interactive confirmation prompt can protect against data loss.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*manage.py flush*--no-input*" ||
context.command like "*django*flush*--no-input*"
};
Click to expand
vectimus-base-046 2 rules
Block TypeORM schema:drop and migration:revert commands
shell_command base
SOC2-CC6.1EU-AI-14
Incident: ORM destructive flag pattern identified in agent safety bypass analysis
Alternative: Use TypeORM migrations to make incremental schema changes. Schema drops require human approval.
@id("vectimus-base-046")
@description("Block TypeORM schema:drop and migration:revert commands")
@incident("ORM destructive flag pattern identified in agent safety bypass analysis")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Use TypeORM migrations to make incremental schema changes. Schema drops require human approval.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*typeorm schema:drop*" ||
context.command like "*typeorm migration:revert*"
};
Click to expand
Block agents from spawning Claude Code with --dangerously-skip-permissions flag
shell_command base
SOC2-CC6.1EU-AI-14
Incident: Nx S1NGULARITY: malware weaponised Claude Code with permission bypass flags, August 2025
Alternative: Spawn Claude Code without --dangerously-skip-permissions. Sub-agents should go through the normal approval flow.
@id("vectimus-base-047")
@description("Block agents from spawning Claude Code with --dangerously-skip-permissions flag")
@incident("Nx S1NGULARITY: malware weaponised Claude Code with permission bypass flags, August 2025")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Spawn Claude Code without --dangerously-skip-permissions. Sub-agents should go through the normal approval flow.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*claude*--dangerously-skip-permissions*"
};
Click to expand
Block agents from spawning Gemini CLI with --yolo flag that disables safety
shell_command base
SOC2-CC6.1EU-AI-14
Incident: Nx S1NGULARITY: malware weaponised Gemini CLI with --yolo flag, August 2025
Alternative: Spawn Gemini CLI without --yolo. Safety prompts exist to protect against destructive actions.
@id("vectimus-base-048")
@description("Block agents from spawning Gemini CLI with --yolo flag that disables safety")
@incident("Nx S1NGULARITY: malware weaponised Gemini CLI with --yolo flag, August 2025")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Spawn Gemini CLI without --yolo. Safety prompts exist to protect against destructive actions.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*gemini*--yolo*"
};
Click to expand
Block agents from spawning AI tools with --trust-all-tools flag
shell_command base
SOC2-CC6.1EU-AI-14
Incident: Nx S1NGULARITY: malware weaponised Amazon Q with --trust-all-tools, August 2025
Alternative: Spawn AI tools without --trust-all-tools. Tool trust should be granted selectively, not globally.
@id("vectimus-base-049")
@description("Block agents from spawning AI tools with --trust-all-tools flag")
@incident("Nx S1NGULARITY: malware weaponised Amazon Q with --trust-all-tools, August 2025")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Spawn AI tools without --trust-all-tools. Tool trust should be granted selectively, not globally.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*--trust-all-tools*"
};
Click to expand
vectimus-base-050 2 rules
Block agents from using generic permission bypass flags when spawning AI tools
shell_command base
SOC2-CC6.1EU-AI-14
Incident: Systematic pattern of agents using force/skip/yolo flags to bypass safety, 2024-2026
Alternative: Do not spawn sub-agents with flags that bypass permission checks. Sub-agent invocations should respect the configured safety policies.
@id("vectimus-base-050")
@description("Block agents from using generic permission bypass flags when spawning AI tools")
@incident("Systematic pattern of agents using force/skip/yolo flags to bypass safety, 2024-2026")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("Do not spawn sub-agents with flags that bypass permission checks. Sub-agent invocations should respect the configured safety policies.")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*--skip-permissions*" ||
context.command like "*--no-safety*"
};
Click to expand
vectimus-base-051 2 rules
Block writes to VS Code launch.json and extensions.json that control debugging and extensions
file_write base
SOC2-CC6.1EU-AI-14
Incident: IDE configuration poisoning via launch configurations, IDEsaster research December 2025
Alternative: VS Code launch and extension configuration should be reviewed by a human before modification.
@id("vectimus-base-051")
@description("Block writes to VS Code launch.json and extensions.json that control debugging and extensions")
@incident("IDE configuration poisoning via launch configurations, IDEsaster research December 2025")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("VS Code launch and extension configuration should be reviewed by a human before modification.")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*.vscode/launch.json" ||
context.file_path like "*.vscode/extensions.json"
};
Click to expand
vectimus-base-052 2 rules
Block writes to MCP configuration files that control tool access
file_write base
SOC2-CC6.1EU-AI-14
Incident: CurXecute: prompt injection rewrote MCP config for remote code execution, CVE-2025-54135
Alternative: MCP configuration files must be edited by a human. Changes to tool access should be reviewed before taking effect.
@id("vectimus-base-052")
@description("Block writes to MCP configuration files that control tool access")
@incident("CurXecute: prompt injection rewrote MCP config for remote code execution, CVE-2025-54135")
@controls("SOC2-CC6.1, EU-AI-14")
@suggested_alternative("MCP configuration files must be edited by a human. Changes to tool access should be reviewed before taking effect.")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*/mcp.json" ||
context.file_path like "*mcp_config*"
};
Click to expand
Block base64-encoded data exfiltration via curl or wget
shell_command owasp-agentic
OWASP-ASI01SOC2-CC6.6EU-AI-15
Incident: Amazon Q Developer secrets leaked via DNS and prompt injection, 2025
Alternative: If you need to send data to an external service, request human approval and use an approved API endpoint.
@id("owasp-001")
@category("ASI01")
@incident("Amazon Q Developer secrets leaked via DNS and prompt injection, 2025")
@description("Block base64-encoded data exfiltration via curl or wget")
@suggested_alternative("If you need to send data to an external service, request human approval and use an approved API endpoint.")
@controls("OWASP-ASI01, SOC2-CC6.6, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*base64*|*curl*" ||
context.command like "*base64*|*wget*" ||
context.command like "*curl*base64*" ||
context.command like "*wget*base64*" ||
// Windows PowerShell
context.command like "*[Convert]::ToBase64String*Invoke-WebRequest*" ||
context.command like "*[Convert]::ToBase64String*Invoke-RestMethod*" ||
context.command like "*certutil*-encode*" ||
// Windows cmd
context.command like "*certutil*-encode*|*curl*"
};
Click to expand
Block DNS exfiltration via nslookup or dig with piped input
shell_command owasp-agentic
OWASP-ASI01SOC2-CC6.6EU-AI-15
Incident: Amazon Q Developer secrets leaked via DNS exfiltration, 2025
Alternative: Use standard DNS lookup tools without piped encoded data. If DNS queries are needed, run them directly with explicit domain names.
@id("owasp-002")
@category("ASI01")
@incident("Amazon Q Developer secrets leaked via DNS exfiltration, 2025")
@description("Block DNS exfiltration via nslookup or dig with piped input")
@suggested_alternative("Use standard DNS lookup tools without piped encoded data. If DNS queries are needed, run them directly with explicit domain names.")
@controls("OWASP-ASI01, SOC2-CC6.6, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*nslookup*$(*" ||
context.command like "*dig*$(*" ||
context.command like "*nslookup*`*" ||
context.command like "*dig*`*" ||
// Windows PowerShell
context.command like "*Resolve-DnsName*$(*" ||
context.command like "*Resolve-DnsName*`(*"
};
Click to expand
Block piping credential or system files to network transfer tools
shell_command owasp-agentic
OWASP-ASI01SOC2-CC6.6EU-AI-15
Incident: EchoLeak: zero-click indirect prompt injection against M365 Copilot, 2025
Alternative: Do not pipe sensitive file contents to network tools. Access files locally and use approved channels for data transfer.
@id("owasp-003")
@category("ASI01")
@incident("EchoLeak: zero-click indirect prompt injection against M365 Copilot, 2025")
@description("Block piping credential or system files to network transfer tools")
@suggested_alternative("Do not pipe sensitive file contents to network tools. Access files locally and use approved channels for data transfer.")
@controls("OWASP-ASI01, SOC2-CC6.6, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*cat /etc/passwd*|*curl*" ||
context.command like "*cat /etc/shadow*|*curl*" ||
context.command like "*cat /etc/passwd*|*wget*" ||
context.command like "*cat /etc/shadow*|*wget*" ||
context.command like "*cat /etc/passwd*|*nc *" ||
context.command like "*cat /etc/shadow*|*nc *" ||
// Windows -- credential database and registry exfiltration
context.command like "*type*\\SAM*|*curl*" ||
context.command like "*type*\\SYSTEM*|*curl*" ||
context.command like "*reg save*HKLM\\SAM*" ||
context.command like "*reg save*HKLM\\SYSTEM*" ||
// Windows PowerShell
context.command like "*Get-Content*SAM*|*Invoke-WebRequest*" ||
context.command like "*Get-Content*SYSTEM*|*Invoke-RestMethod*"
};
Click to expand
Block agent writes to system configuration directories
file_write owasp-agentic
OWASP-ASI02SOC2-CC6.1EU-AI-15
Incident: AutoGPT unbounded filesystem permissions led to system config modification, 2023
Alternative: Do not modify system configuration files directly. Propose changes for human review or use configuration management tools.
@id("owasp-004")
@category("ASI02")
@incident("AutoGPT unbounded filesystem permissions led to system config modification, 2023")
@description("Block agent writes to system configuration directories")
@suggested_alternative("Do not modify system configuration files directly. Propose changes for human review or use configuration management tools.")
@controls("OWASP-ASI02, SOC2-CC6.1, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
// Unix/macOS
context.file_path like "/etc/*" ||
// Windows system directories
context.file_path like "*\\Windows\\System32\\*" ||
context.file_path like "*\\Windows\\SysWOW64\\*" ||
context.file_path like "*\\Windows\\system32\\*"
};
Click to expand
Block execution of scripts written to /tmp by agents
shell_command owasp-agentic
OWASP-ASI02SOC2-CC6.8EU-AI-15
Incident: Replit vibe coding runaway execution of agent-generated scripts, 2025
Alternative: Write scripts to the project directory and request human review before execution. Do not use /tmp for executable scripts.
@id("owasp-005")
@category("ASI02")
@incident("Replit vibe coding runaway execution of agent-generated scripts, 2025")
@description("Block execution of scripts written to /tmp by agents")
@suggested_alternative("Write scripts to the project directory and request human review before execution. Do not use /tmp for executable scripts.")
@controls("OWASP-ASI02, SOC2-CC6.8, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*bash /tmp/*" ||
context.command like "*sh /tmp/*" ||
context.command like "*python /tmp/*" ||
context.command like "*python3 /tmp/*" ||
context.command like "*node /tmp/*" ||
context.command like "*perl /tmp/*" ||
context.command like "*ruby /tmp/*" ||
context.command like "*/tmp/*.sh*" ||
context.command like "*/tmp/*.py*" ||
// Windows -- temp directory script execution
context.command like "*\\Temp\\*.ps1*" ||
context.command like "*\\Temp\\*.bat*" ||
context.command like "*\\Temp\\*.cmd*" ||
context.command like "*\\Temp\\*.py*" ||
context.command like "*\\Temp\\*.js*" ||
context.command like "*%TEMP%\\*" ||
context.command like "*$env:TEMP\\*"
};
Click to expand
Block database destruction commands in shell
shell_command owasp-agentic
OWASP-ASI02SOC2-CC6.1EU-AI-14
Incident: Agent misused database tool to delete entire database, OWASP ASI02 Scenario 3
Alternative: Use specific DELETE statements with WHERE clauses or request human approval before dropping databases or tables.
@id("owasp-006")
@category("ASI02")
@incident("Agent misused database tool to delete entire database, OWASP ASI02 Scenario 3")
@description("Block database destruction commands in shell")
@suggested_alternative("Use specific DELETE statements with WHERE clauses or request human approval before dropping databases or tables.")
@controls("OWASP-ASI02, SOC2-CC6.1, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*DROP DATABASE*" ||
context.command like "*drop database*" ||
context.command like "*Drop Database*" ||
context.command like "*DROP TABLE*" ||
context.command like "*drop table*" ||
context.command like "*Drop Table*" ||
context.command like "*dropdb*"
};
Click to expand
Block cloud CLI privilege escalation commands
infrastructure owasp-agentic
OWASP-ASI03SOC2-CC6.1EU-AI-15
Incident: 15 Ways to Break Your Copilot, BHUSA 2024 - agent privilege escalation
Alternative: Use the cloud credentials already configured for the current session. Request human approval for role assumption or re-authentication.
@id("owasp-007")
@category("ASI03")
@incident("15 Ways to Break Your Copilot, BHUSA 2024 - agent privilege escalation")
@description("Block cloud CLI privilege escalation commands")
@suggested_alternative("Use the cloud credentials already configured for the current session. Request human approval for role assumption or re-authentication.")
@controls("OWASP-ASI03, SOC2-CC6.1, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"infrastructure",
resource
) when {
context.command like "*aws sts assume-role*" ||
context.command like "*gcloud auth login*" ||
context.command like "*gcloud auth activate-service-account*" ||
context.command like "*az login*"
};
Click to expand
Block file operations targeting other users' home directories
file_read owasp-agentic
OWASP-ASI03SOC2-CC6.1
Incident: Docker MCP prompt injection allowed cross-user file access, 2025
Alternative: Operate within your own project directory. Access to other users' files requires explicit human authorisation.
@id("owasp-008")
@category("ASI03")
@incident("Docker MCP prompt injection allowed cross-user file access, 2025")
@description("Block file operations targeting other users' home directories")
@suggested_alternative("Operate within your own project directory. Access to other users' files requires explicit human authorisation.")
@controls("OWASP-ASI03, SOC2-CC6.1")
forbid (
principal,
action == Vectimus::Action::"file_read",
resource
) when {
// Unix/macOS
context.file_path like "/home/*/../*" ||
context.file_path like "/Users/*/../*" ||
context.file_path like "/root/*" ||
// Windows
context.file_path like "*\\Users\\*\\..\\*" ||
context.file_path like "C:\\Users\\*\\..\\*"
};
Click to expand
Block sudo and su execution by agents to prevent privilege escalation
shell_command owasp-agentic
OWASP-ASI03SOC2-CC6.1EU-AI-14
Incident: CVE-2025-31491: agent privilege escalation via sudo
Alternative: Run commands with current user permissions. If elevated privileges are needed, request human approval to run the command manually.
@id("owasp-009")
@category("ASI03")
@incident("CVE-2025-31491: agent privilege escalation via sudo")
@description("Block sudo and su execution by agents to prevent privilege escalation")
@suggested_alternative("Run commands with current user permissions. If elevated privileges are needed, request human approval to run the command manually.")
@controls("OWASP-ASI03, SOC2-CC6.1, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "sudo *" ||
context.command like "*| sudo *" ||
context.command like "su *" ||
context.command like "su -c*" ||
// Windows cmd
context.command like "*runas /user:*" ||
context.command like "*runas /noprofile*" ||
// Windows PowerShell
context.command like "*Start-Process*-Verb RunAs*" ||
context.command like "*Start-Process*-Verb runas*"
};
Click to expand
Block agent modification of package lockfiles
file_write owasp-agentic
OWASP-ASI04SOC2-CC8.1NIST-AI-MG-3.2EU-AI-15
Incident: Dependency lockfile poisoning in ephemeral sandboxes, OWASP ASI05 Scenario 8
Alternative: Run the package manager install command to regenerate lockfiles naturally. Do not edit lockfiles directly.
@id("owasp-010")
@category("ASI04")
@incident("Dependency lockfile poisoning in ephemeral sandboxes, OWASP ASI05 Scenario 8")
@description("Block agent modification of package lockfiles")
@suggested_alternative("Run the package manager install command to regenerate lockfiles naturally. Do not edit lockfiles directly.")
@controls("OWASP-ASI04, SOC2-CC8.1, NIST-AI-MG-3.2, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*package-lock.json" ||
context.file_path like "*yarn.lock" ||
context.file_path like "*pnpm-lock.yaml" ||
context.file_path like "*Pipfile.lock" ||
context.file_path like "*poetry.lock" ||
context.file_path like "*uv.lock" ||
context.file_path like "*Cargo.lock" ||
context.file_path like "*Gemfile.lock" ||
context.file_path like "*composer.lock"
};
Click to expand
Block modification of package registry configuration files
file_write owasp-agentic
OWASP-ASI04SOC2-CC8.1NIST-AI-MG-3.2EU-AI-15
Incident: Malicious MCP server impersonating Postmark on npm, 2025
Alternative: Package registry configuration should be managed by a human administrator, not modified by agents.
@id("owasp-011")
@category("ASI04")
@incident("Malicious MCP server impersonating Postmark on npm, 2025")
@description("Block modification of package registry configuration files")
@suggested_alternative("Package registry configuration should be managed by a human administrator, not modified by agents.")
@controls("OWASP-ASI04, SOC2-CC8.1, NIST-AI-MG-3.2, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*.npmrc" ||
context.file_path like "*.pypirc" ||
context.file_path like "*pip.conf" ||
context.file_path like "*.cargo/config*" ||
context.file_path like "*.yarnrc*"
};
Click to expand
Block cargo install from git URLs which bypass registry review
package_operation owasp-agentic
OWASP-ASI04SOC2-CC6.8NIST-AI-MG-3.2EU-AI-15
Incident: Amazon Q supply chain compromise via poisoned extension, 2025
Alternative: Install Rust packages from crates.io by name. Git-sourced dependencies bypass registry verification.
@id("owasp-012")
@category("ASI04")
@incident("Amazon Q supply chain compromise via poisoned extension, 2025")
@description("Block cargo install from git URLs which bypass registry review")
@suggested_alternative("Install Rust packages from crates.io by name. Git-sourced dependencies bypass registry verification.")
@controls("OWASP-ASI04, SOC2-CC6.8, NIST-AI-MG-3.2, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"package_operation",
resource
) when {
context.command like "*cargo install*--git*"
};
Click to expand
Block adding git submodules which can introduce unvetted code
git_operation owasp-agentic
OWASP-ASI04SOC2-CC8.1NIST-AI-MG-3.2
Incident: Agent-in-the-middle via agent cards in A2A protocol, Trustwave 2025
Alternative: Use package managers to add dependencies. If a git submodule is needed, request human review of the source repository first.
@id("owasp-013")
@category("ASI04")
@incident("Agent-in-the-middle via agent cards in A2A protocol, Trustwave 2025")
@description("Block adding git submodules which can introduce unvetted code")
@suggested_alternative("Use package managers to add dependencies. If a git submodule is needed, request human review of the source repository first.")
@controls("OWASP-ASI04, SOC2-CC8.1, NIST-AI-MG-3.2")
forbid (
principal,
action == Vectimus::Action::"git_operation",
resource
) when {
context.command like "*git submodule add*"
};
Click to expand
Block reverse shell patterns in shell commands
shell_command owasp-agentic
OWASP-ASI05SOC2-CC6.8EU-AI-15
Incident: Auto-GPT RCE and container escape, Positive Security 2024
Alternative: Do not open reverse shells. If remote access is needed, use SSH with proper authentication.
@id("owasp-014")
@category("ASI05")
@incident("Auto-GPT RCE and container escape, Positive Security 2024")
@description("Block reverse shell patterns in shell commands")
@suggested_alternative("Do not open reverse shells. If remote access is needed, use SSH with proper authentication.")
@controls("OWASP-ASI05, SOC2-CC6.8, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*bash -i*>*&*/dev/tcp*" ||
context.command like "nc -e*" ||
context.command like "*| nc -e*" ||
context.command like "*; nc -e*" ||
context.command like "nc -c*" ||
context.command like "*| nc -c*" ||
context.command like "*; nc -c*" ||
context.command like "ncat -e*" ||
context.command like "*| ncat -e*" ||
context.command like "*; ncat -e*" ||
context.command like "*/dev/tcp/*" ||
context.command like "*mkfifo*/tmp/*nc*" ||
context.command like "*import socket*connect*" ||
// Windows PowerShell reverse shells
context.command like "*New-Object*Net.Sockets.TCPClient*" ||
context.command like "*System.Net.Sockets.TCPClient*" ||
context.command like "*TCPClient*GetStream*" ||
context.command like "*IO.StreamReader*Net.Sockets*" ||
context.command like "*Invoke-PowerShellTcp*" ||
// Windows cmd -- ncat/nc on Windows
context.command like "*ncat.exe*-e*" ||
context.command like "*nc.exe*-e*"
};
Click to expand
Block python -c with network or socket operations
shell_command owasp-agentic
OWASP-ASI05SOC2-CC6.8EU-AI-15
Incident: Waclaude memory exploitation RCE via agent-generated Python, 2025
Alternative: Write Python code to a file for review before execution. Do not use python -c for network operations.
@id("owasp-015")
@category("ASI05")
@incident("Waclaude memory exploitation RCE via agent-generated Python, 2025")
@description("Block python -c with network or socket operations")
@suggested_alternative("Write Python code to a file for review before execution. Do not use python -c for network operations.")
@controls("OWASP-ASI05, SOC2-CC6.8, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
context.command like "*python*-c*socket*" ||
context.command like "*python*-c*urllib*" ||
context.command like "*python*-c*requests*" ||
context.command like "*python3*-c*socket*" ||
context.command like "*python3*-c*urllib*" ||
context.command like "*python3*-c*requests*"
};
Click to expand
Block downloading and executing binaries in a single command chain
shell_command owasp-agentic
OWASP-ASI05SOC2-CC6.8EU-AI-15
Incident: GitHub Copilot RCE via prompt injection, 2025
Alternative: Download files to disk first, verify their checksums, then execute after human review.
@id("owasp-016")
@category("ASI05")
@incident("GitHub Copilot RCE via prompt injection, 2025")
@description("Block downloading and executing binaries in a single command chain")
@suggested_alternative("Download files to disk first, verify their checksums, then execute after human review.")
@controls("OWASP-ASI05, SOC2-CC6.8, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*curl*&&*chmod*+x*" ||
context.command like "*wget*&&*chmod*+x*" ||
context.command like "*curl*&&*bash*" ||
context.command like "*wget*&&*bash*" ||
context.command like "*curl*; chmod*+x*" ||
context.command like "*wget*; chmod*+x*" ||
// Windows PowerShell -- download and execute chains
context.command like "*Invoke-WebRequest*&&*Start-Process*" ||
context.command like "*Invoke-WebRequest*;*Start-Process*" ||
context.command like "*iwr*;*Start-Process*" ||
context.command like "*Invoke-WebRequest*;*&*" ||
// Windows cmd -- certutil/bitsadmin download-execute
context.command like "*certutil*-urlcache*&&*" ||
context.command like "*bitsadmin*/transfer*&&*"
};
Click to expand
Block eval and exec patterns in shell commands that execute dynamic code
shell_command owasp-agentic
OWASP-ASI05SOC2-CC6.8EU-AI-15
Incident: Agent memory system RCE via unsafe eval, OWASP ASI05 Scenario 6
Alternative: Write code to a file for review instead of using eval or exec. Dynamic code execution from untrusted input is dangerous.
@id("owasp-017")
@category("ASI05")
@incident("Agent memory system RCE via unsafe eval, OWASP ASI05 Scenario 6")
@description("Block eval and exec patterns in shell commands that execute dynamic code")
@suggested_alternative("Write code to a file for review instead of using eval or exec. Dynamic code execution from untrusted input is dangerous.")
@controls("OWASP-ASI05, SOC2-CC6.8, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*eval $(*" ||
context.command like "*eval \"$(*" ||
context.command like "*eval `*" ||
context.command like "*python*-c*exec(*" ||
context.command like "*python3*-c*exec(*" ||
context.command like "*node -e*eval(*" ||
context.command like "*node -e*Function(*" ||
// Windows PowerShell
context.command like "*Invoke-Expression*$(*" ||
context.command like "*Invoke-Expression*DownloadString*" ||
context.command like "*iex*$(*" ||
context.command like "*iex*DownloadString*"
};
Click to expand
Block writes to agent instruction and rules files
file_write owasp-agentic
OWASP-ASI06SOC2-CC6.1EU-AI-14
Incident: AgentFlayer: persistent 0click exploit planting false memories in ChatGPT, 2025
Alternative: Agent instruction files should be edited by a human developer, not modified by the agent itself. Propose changes for human review.
@id("owasp-018")
@category("ASI06")
@incident("AgentFlayer: persistent 0click exploit planting false memories in ChatGPT, 2025")
@description("Block writes to agent instruction and rules files")
@suggested_alternative("Agent instruction files should be edited by a human developer, not modified by the agent itself. Propose changes for human review.")
@controls("OWASP-ASI06, SOC2-CC6.1, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*CLAUDE.md" ||
context.file_path like "*AGENTS.md" ||
context.file_path like "*.cursorrules" ||
context.file_path like "*.github/copilot-instructions.md" ||
context.file_path like "*.windsurfrules" ||
context.file_path like "*.clinerules" ||
context.file_path like "*.kirorules" ||
context.file_path like "*.aider.conf.yml" ||
context.file_path like "*.zed/settings.json" ||
context.file_path like "*.roorules"
};
Click to expand
Block writes to agent memory and state directories
file_write owasp-agentic
OWASP-ASI06SOC2-CC6.1EU-AI-14
Incident: Gemini long-term memory corruption via prompt injection, 2025
Alternative: Agent configuration and state directories should be managed through proper tooling, not written to directly by agents.
@id("owasp-019")
@category("ASI06")
@incident("Gemini long-term memory corruption via prompt injection, 2025")
@description("Block writes to agent memory and state directories")
@suggested_alternative("Agent configuration and state directories should be managed through proper tooling, not written to directly by agents.")
@controls("OWASP-ASI06, SOC2-CC6.1, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"file_write",
resource
) when {
context.file_path like "*.continue/*" ||
context.file_path like "*.aider*" ||
context.file_path like "*.claude/memory*" ||
context.file_path like "*.cursor/memory*"
};
Click to expand
Block agents from disabling or clearing log and audit files
shell_command owasp-agentic
OWASP-ASI10SOC2-CC7.2EU-AI-15
Incident: Multi-agent systems executing arbitrary malicious code, arXiv 2503.12188, 2025
Alternative: Do not modify log files or audit trails. If log management is needed, use the designated log rotation tools.
@id("owasp-020")
@category("ASI10")
@incident("Multi-agent systems executing arbitrary malicious code, arXiv 2503.12188, 2025")
@description("Block agents from disabling or clearing log and audit files")
@suggested_alternative("Do not modify log files or audit trails. If log management is needed, use the designated log rotation tools.")
@controls("OWASP-ASI10, SOC2-CC7.2, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*truncate*/var/log*" ||
context.command like "*truncate*audit*" ||
context.command like "*> /var/log/*" ||
context.command like "*rm*/var/log/*" ||
context.command like "*shred*/var/log*" ||
context.command like "*shred*audit*" ||
context.command like "rm *audit*" ||
context.command like "*| rm *audit*" ||
context.command like "*; rm *audit*" ||
context.command like "rm *.log*" ||
context.command like "*| rm *.log*" ||
context.command like "*; rm *.log*" ||
// Windows cmd
context.command like "*wevtutil cl*" ||
context.command like "*wevtutil clear-log*" ||
context.command like "*del*\\Logs\\*" ||
context.command like "*del*.evtx*" ||
// Windows PowerShell
context.command like "*Clear-EventLog*" ||
context.command like "*Remove-EventLog*" ||
context.command like "*Remove-Item*\\Logs\\*" ||
context.command like "*Remove-Item*.evtx*"
};
Click to expand
Block creation of cron jobs and scheduled tasks by agents
shell_command owasp-agentic
OWASP-ASI10SOC2-CC7.2EU-AI-15
Incident: Rogue agent self-replication via provisioning APIs, OWASP ASI10 Scenario 3
Alternative: Scheduled tasks should be created by a human administrator. If automation is needed, propose a cron entry for human review.
@id("owasp-021")
@category("ASI10")
@incident("Rogue agent self-replication via provisioning APIs, OWASP ASI10 Scenario 3")
@description("Block creation of cron jobs and scheduled tasks by agents")
@suggested_alternative("Scheduled tasks should be created by a human administrator. If automation is needed, propose a cron entry for human review.")
@controls("OWASP-ASI10, SOC2-CC7.2, EU-AI-15")
forbid (
principal,
action == Vectimus::Action::"shell_command",
resource
) when {
// Unix/macOS
context.command like "*crontab*" ||
context.command like "*/etc/cron*" ||
context.command like "*systemctl enable*" ||
context.command like "*systemctl start*" ||
context.command like "at *" ||
context.command like "*| at *" ||
context.command like "*; at *" ||
// Windows cmd
context.command like "*schtasks*" ||
// Windows PowerShell
context.command like "*Register-ScheduledTask*" ||
context.command like "*New-ScheduledTask*" ||
context.command like "*Set-ScheduledTask*" ||
// macOS
context.command like "*launchctl load*" ||
context.command like "*launchctl submit*"
};
Click to expand
Block broadcast messages to all agents to prevent amplification and noise injection
agent_message owasp-agentic
OWASP-ASI07SOC2-CC7.2EU-AI-14
Incident: Multi-agent broadcast amplification causing token exhaustion, OWASP ASI07 Scenario 2
Alternative: Send targeted messages to specific agents using type 'message' with a named recipient instead of broadcasting.
@id("owasp-022")
@category("ASI07")
@incident("Multi-agent broadcast amplification causing token exhaustion, OWASP ASI07 Scenario 2")
@description("Block broadcast messages to all agents to prevent amplification and noise injection")
@suggested_alternative("Send targeted messages to specific agents using type 'message' with a named recipient instead of broadcasting.")
@controls("OWASP-ASI07, SOC2-CC7.2, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"agent_message",
resource
) when {
context.command like "*type=broadcast*"
};
Click to expand
Block spawning sub-agents with elevated permissions that bypass safety controls
agent_spawn owasp-agentic
OWASP-ASI07SOC2-CC7.2EU-AI-14
Incident: Agent privilege cascade via bypassPermissions delegation, OWASP ASI07 Scenario 1
Alternative: Spawn agents with default permission mode. If elevated permissions are needed, request human approval first.
@id("owasp-023")
@category("ASI07")
@incident("Agent privilege cascade via bypassPermissions delegation, OWASP ASI07 Scenario 1")
@description("Block spawning sub-agents with elevated permissions that bypass safety controls")
@suggested_alternative("Spawn agents with default permission mode. If elevated permissions are needed, request human approval first.")
@controls("OWASP-ASI07, SOC2-CC7.2, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"agent_spawn",
resource
) when {
context.command like "*mode=bypassPermissions*" ||
context.command like "*mode=dontAsk*"
};
Click to expand
Block agents from sending shutdown requests to terminate peer agents
agent_message owasp-agentic
OWASP-ASI07SOC2-CC7.2EU-AI-14
Incident: Compromised agent terminating monitoring agents via shutdown requests, OWASP ASI07 Scenario 3
Alternative: Only team leads should send shutdown requests. If an agent needs to stop, it should complete its task and go idle.
@id("owasp-024")
@category("ASI07")
@incident("Compromised agent terminating monitoring agents via shutdown requests, OWASP ASI07 Scenario 3")
@description("Block agents from sending shutdown requests to terminate peer agents")
@suggested_alternative("Only team leads should send shutdown requests. If an agent needs to stop, it should complete its task and go idle.")
@controls("OWASP-ASI07, SOC2-CC7.2, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"agent_message",
resource
) when {
context.command like "*type=shutdown_request*"
};
Click to expand
Block agent spawning with excessive turn counts that risk runaway execution
agent_spawn owasp-agentic
OWASP-ASI08SOC2-CC7.2EU-AI-14
Incident: Runaway agent consuming unbounded API tokens over 200+ turns, OWASP ASI08 Scenario 1
Alternative: Reduce max_turns to 50 or fewer. Break large tasks into smaller subtasks with human checkpoints between them.
@id("owasp-025")
@category("ASI08")
@incident("Runaway agent consuming unbounded API tokens over 200+ turns, OWASP ASI08 Scenario 1")
@description("Block agent spawning with excessive turn counts that risk runaway execution")
@suggested_alternative("Reduce max_turns to 50 or fewer. Break large tasks into smaller subtasks with human checkpoints between them.")
@controls("OWASP-ASI08, SOC2-CC7.2, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"agent_spawn",
resource
) when {
context.command like "*EXCESSIVE_TURNS*"
};
Click to expand
Block creation of multi-agent teams to prevent uncontrolled swarm amplification
agent_spawn owasp-agentic
OWASP-ASI08SOC2-CC7.2EU-AI-14
Incident: Multi-agent swarm causing cascading API rate-limit exhaustion, OWASP ASI08 Scenario 2
Alternative: Spawn individual agents for specific tasks rather than creating teams. If a team workflow is needed, request human approval.
@id("owasp-026")
@category("ASI08")
@incident("Multi-agent swarm causing cascading API rate-limit exhaustion, OWASP ASI08 Scenario 2")
@description("Block creation of multi-agent teams to prevent uncontrolled swarm amplification")
@suggested_alternative("Spawn individual agents for specific tasks rather than creating teams. If a team workflow is needed, request human approval.")
@controls("OWASP-ASI08, SOC2-CC7.2, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"agent_spawn",
resource == Vectimus::Tool::"TeamCreate"
) when {
true
};
Click to expand
Block spawning background agents with unrestricted permissions to prevent unmonitored cascades
agent_spawn owasp-agentic
OWASP-ASI08SOC2-CC7.2EU-AI-14
Incident: Background agent cascade with no human oversight consuming all available compute, OWASP ASI08 Scenario 3
Alternative: Run agents in the foreground for human oversight, or use default permission mode for background agents.
@id("owasp-027")
@category("ASI08")
@incident("Background agent cascade with no human oversight consuming all available compute, OWASP ASI08 Scenario 3")
@description("Block spawning background agents with unrestricted permissions to prevent unmonitored cascades")
@suggested_alternative("Run agents in the foreground for human oversight, or use default permission mode for background agents.")
@controls("OWASP-ASI08, SOC2-CC7.2, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"agent_spawn",
resource
) when {
context.command like "*background=true*" &&
context.command like "*mode=bypassPermissions*"
};
Click to expand
Block agent spawning when session-level spawn flood is detected
agent_spawn owasp-agentic
OWASP-ASI08SOC2-CC7.2EU-AI-14
Incident: Agent spawning flood detected via session tracking, OWASP ASI08 Scenario 4
Alternative: Reduce the number of sub-agents. Break work into sequential steps with human checkpoints rather than parallel fan-out.
@id("owasp-028")
@category("ASI08")
@incident("Agent spawning flood detected via session tracking, OWASP ASI08 Scenario 4")
@description("Block agent spawning when session-level spawn flood is detected")
@suggested_alternative("Reduce the number of sub-agents. Break work into sequential steps with human checkpoints rather than parallel fan-out.")
@controls("OWASP-ASI08, SOC2-CC7.2, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"agent_spawn",
resource
) when {
context.command like "*SESSION_SPAWN_FLOOD*"
};
Click to expand
Block agent messaging when session-level message flood is detected
agent_message owasp-agentic
OWASP-ASI08SOC2-CC7.2EU-AI-14
Incident: Agent message flood detected via session tracking, OWASP ASI08 Scenario 5
Alternative: Reduce inter-agent message volume. Consolidate updates into fewer, larger messages instead of many small ones.
@id("owasp-029")
@category("ASI08")
@incident("Agent message flood detected via session tracking, OWASP ASI08 Scenario 5")
@description("Block agent messaging when session-level message flood is detected")
@suggested_alternative("Reduce inter-agent message volume. Consolidate updates into fewer, larger messages instead of many small ones.")
@controls("OWASP-ASI08, SOC2-CC7.2, EU-AI-14")
forbid (
principal,
action == Vectimus::Action::"agent_message",
resource
) when {
context.command like "*SESSION_MESSAGE_FLOOD*"
};
Click to expand