{"id":20,"date":"2026-06-02T03:23:13","date_gmt":"2026-06-02T03:23:13","guid":{"rendered":"https:\/\/agentsafelabs.com\/blog\/?page_id=20"},"modified":"2026-06-06T03:54:32","modified_gmt":"2026-06-06T03:54:32","slug":"blog","status":"publish","type":"page","link":"https:\/\/agentsafelabs.com\/blog\/","title":{"rendered":"Blog"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\n\t\t\t
\"Prompt<\/div>\n\t\t<\/a>\n\t\t\t\t
\n\t\t\t\t

\n\t\t\t\n\t\t\t\tPrompt Injection Is Not a Chatbot Problem: How the Attack Surface Changes When Your LLM Has Tools\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t
\n\t\t\t\t\t\n\t\t\tWaqar Javed\t\t<\/span>\n\t\t\t\t\n\t\t\tJune 7, 2026\t\t<\/span>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t

The AI security field spent two years building prompt injection defenses for chatbots. Input filters, output monitors, adversarial training, instruction hierarchy enforcement. Some of it works reasonably well \u2014 for chatbots. Agents are a different problem. The defenses built for chatbot-era prompt injection fail against agentic attack vectors for fundamental architectural reasons, not implementation reasons. You cannot fix this by tuning your filters. This post explains why. The Chatbot Threat Model In a chatbot, the attack surface is simple. There is one input channel: the user message. There is one output channel: the model’s text response. The threat is a user who types something malicious. The defense is correspondingly simple: train the model to recognize and resist adversarial user inputs. Monitor output for policy violations. The model is the system. Securing the model secures the system. This worked well enough for the chatbot era. The Agentic Threat Model An agent is not a model. It is a system that includes a model, plus tools, plus memory, plus external integrations, plus<\/p>\n\t\t<\/div>\n\t\t\n\t\t\n\t\t\tRead More \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t<\/article>\n\t\t\t\t

\n\t\t\t\t\n\t\t\t
\"The<\/div>\n\t\t<\/a>\n\t\t\t\t
\n\t\t\t\t

\n\t\t\t\n\t\t\t\tThe OWASP Agentic Security Initiative Top 10: A Practical Developer Guide for LangChain and CrewAI\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t
\n\t\t\t\t\t\n\t\t\tWaqar Javed\t\t<\/span>\n\t\t\t\t\n\t\t\tJune 5, 2026\t\t<\/span>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t

OWASP formalized ASI01\u2013ASI10 \u2014 the first structured vulnerability taxonomy for AI agents. Here is what each one means in practice, with code examples for LangChain and CrewAI developers. Most developers building AI agents are familiar with OWASP’s LLM Top 10. Fewer know that OWASP has published a separate taxonomy specifically for agentic systems: the Agentic Security Initiative Top 10 (ASI01\u2013ASI10). The distinction matters. Agents are not just LLMs. They use tools, maintain memory, delegate to sub-agents, and take actions in the world. The LLM Top 10 was not designed for this threat model. The ASI Top 10 is. This post walks through each category with concrete examples relevant to developers building on LangChain, CrewAI, and similar frameworks.<\/p>\n\t\t<\/div>\n\t\t\n\t\t\n\t\t\tRead More \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t<\/article>\n\t\t\t\t

\n\t\t\t\t\n\t\t\t
\"Why<\/div>\n\t\t<\/a>\n\t\t\t\t
\n\t\t\t\t

\n\t\t\t\n\t\t\t\tWhy Claude Haiku Returned UNCERTAIN: Anatomy of an Indirect Prompt Injection in an Agentic System\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t
\n\t\t\t\t\t\n\t\t\tWaqar Javed\t\t<\/span>\n\t\t\t\t\n\t\t\tJune 5, 2026\t\t<\/span>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t

We ran AgentSafeLabs against Claude Haiku on ASI01 (prompt injection). Two tests passed. One returned UNCERTAIN. Here is exactly what happened and why it matters for anyone building agents. When we ran Claude Haiku through AgentSafeLabs v0.1.2 last week, two of three ASI01 tests returned PASS. The third returned UNCERTAIN. That UNCERTAIN result is more interesting than either PASS or FAIL. This post explains exactly what happened, why it matters, and what it tells us about the current state of prompt injection defenses in agentic systems. The OWASP Agentic Security Initiative Top 10 formalizes the vulnerability taxonomy for AI agents. ASI01 covers prompt injection \u2014 but not the kind most developers think of. In a chatbot context, prompt injection looks like this: a user types “ignore your previous instructions and do X.” The model either complies or it doesn’t.<\/p>\n\t\t<\/div>\n\t\t\n\t\t\n\t\t\tRead More \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t<\/article>\n\t\t\t\t<\/div>\n\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-20","page","type-page","status-publish","hentry"],"yoast_head":"\nBlog - Agentsafelabs<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/agentsafelabs.com\/blog\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Blog - Agentsafelabs\" \/>\n<meta property=\"og:url\" content=\"https:\/\/agentsafelabs.com\/blog\/\" \/>\n<meta property=\"og:site_name\" content=\"Agentsafelabs\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-06T03:54:32+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/\",\"url\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/\",\"name\":\"Blog - Agentsafelabs\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/#website\"},\"datePublished\":\"2026-06-02T03:23:13+00:00\",\"dateModified\":\"2026-06-06T03:54:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/\",\"name\":\"Agentsafelabs\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/agentsafelabs.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Blog - Agentsafelabs","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/agentsafelabs.com\/blog\/","og_locale":"en_US","og_type":"article","og_title":"Blog - Agentsafelabs","og_url":"https:\/\/agentsafelabs.com\/blog\/","og_site_name":"Agentsafelabs","article_modified_time":"2026-06-06T03:54:32+00:00","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/agentsafelabs.com\/blog\/","url":"https:\/\/agentsafelabs.com\/blog\/","name":"Blog - Agentsafelabs","isPartOf":{"@id":"https:\/\/agentsafelabs.com\/blog\/#website"},"datePublished":"2026-06-02T03:23:13+00:00","dateModified":"2026-06-06T03:54:32+00:00","breadcrumb":{"@id":"https:\/\/agentsafelabs.com\/blog\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/agentsafelabs.com\/blog\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/agentsafelabs.com\/blog\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/agentsafelabs.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Blog"}]},{"@type":"WebSite","@id":"https:\/\/agentsafelabs.com\/blog\/#website","url":"https:\/\/agentsafelabs.com\/blog\/","name":"Agentsafelabs","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/agentsafelabs.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_hostinger_reach_plugin_has_subscription_block":false,"_hostinger_reach_plugin_is_elementor":false,"_links":{"self":[{"href":"https:\/\/agentsafelabs.com\/blog\/wp-json\/wp\/v2\/pages\/20","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/agentsafelabs.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/agentsafelabs.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/agentsafelabs.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/agentsafelabs.com\/blog\/wp-json\/wp\/v2\/comments?post=20"}],"version-history":[{"count":50,"href":"https:\/\/agentsafelabs.com\/blog\/wp-json\/wp\/v2\/pages\/20\/revisions"}],"predecessor-version":[{"id":155,"href":"https:\/\/agentsafelabs.com\/blog\/wp-json\/wp\/v2\/pages\/20\/revisions\/155"}],"wp:attachment":[{"href":"https:\/\/agentsafelabs.com\/blog\/wp-json\/wp\/v2\/media?parent=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}