OWASP LLM Top 10 (2025): Agent Security Crosswalk¶
Map each OWASP LLM Top 10 (2025) risk to coding-agent-specific manifestations and site pages — a navigation aid, not a recommended threat model.
This page exists because the OWASP Top 10 for LLM Applications (2025) is the dominant shared vocabulary for LLM risk, not because it is the optimal threat model for autonomous coding agents. For that, OWASP itself published a separate Top 10 for Agentic Applications (2026) — the more directly applicable framework when the agent plans, persists state, and invokes tools across trust boundaries. Use this crosswalk to locate site coverage from the LLM Top 10's category names; use the Four-Layer Taxonomy of Agent Security Risks or Lethal Trifecta Threat Model for the mechanism-side analysis a coding-agent build actually needs.
The Crosswalk¶
Each row leads with the agent-specific manifestation in this site's own words — the LLM Top 10 entries are framed around general LLM-application risk, so the agent-side translation is non-trivial for several entries. Coverage flags are scoped to coding-agent / agent-harness builds: saturated = multiple first-class pages, covered = at least one direct page, partial = adjacent pages but no first-class treatment, gap = no direct coverage on this site as of last_reviewed.
| OWASP 2025 Risk | Agent-Specific Manifestation | Site Coverage | Status |
|---|---|---|---|
| LLM01:2025 Prompt Injection | Untrusted content reaches the model via fetched pages, file reads, tool outputs, or returned API bodies; instructions inside that content redirect the agent's behaviour. The indirect variant is the dominant coding-agent attack surface. | Prompt Injection: A First-Class Threat, Designing Agents to Resist Prompt Injection, Indirect Injection Discovery, CaMeL, Action-Selector Pattern, Single-Layer Injection Defence (anti-pattern) | saturated |
| LLM02:2025 Sensitive Information Disclosure | Agent context aggregates secrets, source files, transcripts, and tool outputs; exfiltration paths run through agent-authored messages, URL construction, and rendered images — not only model output. | PII Tokenization in Agent Context, Protecting Sensitive Files, Privacy-Preserving LLM Requests, Secrets Management for Agents, URL-Based Exfiltration Guard, Agent-Authored Messages as Deferred Exfiltration | saturated |
| LLM03:2025 Supply Chain | Agent supply chains span model weights, MCP servers, skills, plugins, and emitted dependency manifests; a tampered or floating-range dependency inherits agent privileges. | Agent-Emitted Dependency Ranges, LLM-Pinned Vulnerable Versions, Skill Supply-Chain Poisoning, Tool Signing and Signature Verification | saturated |
| LLM04:2025 Data and Model Poisoning | Most coding-agent builders consume vendor APIs and do not influence pretraining; the agent-relevant slice is poisoning of RAG corpora, knowledge graphs, and persistent memory the agent later retrieves. | Oracle Poisoning: Knowledge Graph Corruption, RAG Architecture as a Poisoning Robustness Decision, Trojan Hippo: Dormant Memory Payloads, Cross-Session Memory Poisoning for Data Exfiltration, Cognitive Poisoning via Tool Feedback | covered |
| LLM05:2025 Improper Output Handling | For coding agents the "output" is emitted code, shell commands, and tool arguments — not chat text returned to a user. Defences are output-side scanners, structural verifiers, and default-deny posture before downstream consumption. | Verifying LLM-Generated Cryptographic Code, Safe Outputs Pattern | partial |
| LLM06:2025 Excessive Agency | OWASP's 2025 revision decomposes this risk into excessive functionality, excessive permissions, and excessive autonomy — the three axes that map most directly to a coding-agent harness. Each axis has its own controls on this site. | Functionality: Blast Radius Containment, Task Scope as Security Boundary. Permissions: Agent Network Egress Policy, Transcript-Driven Permission Allowlist, Permission-Gated Commands. Autonomy: Human-in-the-Loop Confirmation Gates, Safe Outputs Pattern. | saturated |
| LLM07:2025 System Prompt Leakage | System prompts in coding-agent harnesses carry instructions, sometimes credentials, and the tool catalogue; exfiltration paths include malicious tool descriptions, jailbreak chains, and chained injection through fetched content. | Tool-Invocation Attack Surface (system-prompt exfiltration via malicious tool descriptions) | partial |
| LLM08:2025 Vector and Embedding Weaknesses | RAG-equipped coding agents expose the embedding-and-retrieve pipeline as an attack surface: chunk-level authorisation gaps, embedding inversion, and relevance-not-authorisation ranking. | Multitenant RAG: Relevance-Authorization Gap, RAG Architecture as a Poisoning Robustness Decision | partial |
| LLM09:2025 Misinformation | For coding agents the misinformation surface is hallucinated APIs, fabricated dependency versions, and confident-wrong refactors — verification-side defences carry the load. | Coding Agent Misalignment Forms, Objective Drift, Chain-of-Verification for Coding Agents, Incremental Verification | partial |
| LLM10:2025 Unbounded Consumption | Long-running coding agents that loop on tool output, fan out sub-agents, or retry on transient errors can drain token and rate-limit budgets — a denial-of-wallet failure mode distinct from classical DoS. | No direct coverage of denial-of-wallet for coding agents; Cryptographic Governance Audit Trail and MCP Runtime Control Plane touch budget enforcement adjacently. | gap |
Why It Works¶
Practitioners arrive at security material with the vocabulary their training, compliance reviews, and tooling use — and for LLM risk that vocabulary is overwhelmingly the OWASP LLM Top 10, the most-searched LLM risk framework as captured by industry summaries such as Aembit's market overview and Security Boulevard's 2026 explainer. This site indexes the same threats by mechanism — sandboxing, permissions, tool invocation, supply chain — because that is how engineers reason about controls during a build-out, the same organising principle used by the Four-Layer Taxonomy of Agent Security Risks. A crosswalk closes the gap by giving readers a stable mapping from the framework names they searched to the mechanism-organised pages that answer the risk for a coding-agent context. The pattern is the same one Tool Signing and Signature Verification already uses at the page level to cite OWASP MCP03:2025 Tool Poisoning — vocabulary at the top, mechanism in the body.
When This Backfires¶
A crosswalk is a discovery aid, not a threat model — five conditions make it actively misleading if treated as one.
- Coding agents are not chat apps. LLM05 and LLM09 are framed around chat output returned to a human reviewer. For a coding agent the "output" is emitted code, shell commands, and tool arguments that downstream systems execute. Reuse of OWASP's chat-app phrasing produces controls that do not match the actual sink — the row-level agent-specific framing above is what avoids that.
- Pre-trained model assumption. LLM04 Data and Model Poisoning primarily targets training and fine-tuning datasets. Most coding-agent builders consume vendor APIs and have no influence over pretraining. A literal LLM04 crosswalk that routes readers to training-pipeline controls misallocates attention; the agent-relevant slice is RAG / KG / memory poisoning, which is what this row links.
- Two OWASP frameworks now coexist. The Top 10 for Agentic Applications (2026) explicitly targets autonomous systems and overlaps but does not duplicate the LLM Top 10. Treating this crosswalk as the only OWASP integration on the site leaves the reader unable to choose; the page header points to both frameworks for that reason.
- OWASP text is CC-BY-SA 4.0. Reproducing official risk descriptions verbatim creates an attribution-and-share-alike obligation and weakens originality. This crosswalk leads every row with an agent-specific manifestation in the site's own words and links to OWASP for the canonical text.
- Coverage flags age out. A "gap" row becomes wrong the moment a sibling page lands. The
last_reviewedfrontmatter dates this snapshot; the full-audit pipeline refreshes it on every audit run. Readers who land here years later should treat coverage flags as a reading aid, not a current site index.
Key Takeaways¶
- The OWASP LLM Top 10 (2025) is the dominant shared vocabulary for LLM risk; this crosswalk closes the gap between that vocabulary and this site's mechanism-organised pages.
- For coding agents specifically, the OWASP Top 10 for Agentic Applications (2026) is the more directly applicable framework — use this page for navigation, not as a threat model.
- LLM01, LLM02, LLM03, and LLM06 are saturated on this site; LLM04 is covered; LLM05, LLM07, LLM08, and LLM09 are partial; LLM10 is a gap as of the
last_revieweddate. - Pair the crosswalk with mechanism-based models — Four-Layer Taxonomy, Lethal Trifecta, Defense-in-Depth — for the controls a coding-agent build actually composes.
Related¶
- Four-Layer Taxonomy of Agent Security Risks — mechanism-organised navigation grid that pairs with the framework-organised crosswalk above
- Lethal Trifecta Threat Model — capability-based threat model for the trifecta that underlies LLM01 / LLM02 / LLM06
- Defense-in-Depth Agent Safety — independent-mechanism layering across all ten risk categories
- Prompt Injection: A First-Class Threat to Agentic Systems — primary LLM01 entry for coding agents
- Tool-Invocation Attack Surface — LLM05 (improper output handling) and LLM07 (system-prompt leakage) adjacencies for tool-using agents