Artificial Intelligence Agents Here – Threats: Unit 42 unveils the top ten AI Agents security risks

As AI agents transition from experimental systems to production-scale applications, their growing autonomy introduces new security challenges. In a comprehensive new report “The AI ​​agent is here. The same is true for threats” Unit 42 of Palo Alto Networks reveals how today’s proxy architecture (albeit innovative) is vulnerable to widespread attacks, most of which are not derived from the framework itself, but from the way it designs, deploys, and connects to external tools.

To assess the breadth of these risks, Unit 42 researchers constructed two AI agents with the same functions—one built using Crewai and the other built using Autogen. Despite the architectural differences, both systems show the same vulnerability, confirming that the underlying problem is not a framework-specific. Instead, the threat stems from misconfiguration, insecure timely design, and insufficient hardened tool integration – beyond the problem of implementation choice.

Understand the threat landscape

The report outlines ten core threats that expose AI agents to data leakage, tool development, remote code execution, and more:

1. Tips for injection and overly extensive tips
   Timely injections are still valid vectors, allowing attackers to manipulate proxy behavior, override instructions and abuse integration tools. Even without the classic injection grammar, well-defined hints are easy to exploit.
2. Framework – Inadequate Risk Surface
   Most vulnerabilities do not originate from frameworks (such as Crewai or Autogen), but in application-level design: unsafe role authorization, incorrect tool access policies, and ambiguous timely scope.
3. Insecure tool integration
   Many proxy applications integrate tools (e.g., code execution modules, SQL clients, web scrapers) into minimal access control. These integrations greatly expand the proxy’s attack surface without proper disinfection.
4. Certificate exposure
   Agents can inadvertently expose service credentials, tokens, or API keys to enable attackers to upgrade privileges or imitate agents in their environment.
5. Unlimited code execution
   The code interpreter in the agent (if not sandboxed) allows execution of arbitrary payloads. Attackers can use these to access file systems, networks, or metadata services – often bypassing traditional security layers.
6. Lack of layered defense
   Single point relief is insufficient. Strong security postures require rapid hardening, runtime monitoring, input verification and container-level isolation in deep policies.
7. Rapid hardening
   The proxy must be configured with strict role definitions, and requests falling outside the predefined scope must be rejected. This reduces the likelihood of successful goal manipulation or guidance disclosure.
8. Runtime content filtering
   Real-time input and output checks (such as filtering prompts known attack modes) are critical to detecting and mitigating dynamic threats.
9. Tool input disinfection
   Structured input validation (check format, execution type, and limit value) is critical to prevent SQL injections, malformed payloads, or cross-agent abuse.
10. Code Executor Sandbox
    The execution environment must limit network access, remove unnecessary system functions, and isolate temporary storage to reduce the impact of potential vulnerabilities.

Simulated attack and actual meaning

To illustrate these risks, Unit 42 deployed a multi-agent investment assistant and simulated nine attack scenarios. These include:

• Extract agent instructions and tool patterns
  By leveraging timely engineering, an attacker can enumerate all internal agents, retrieve their task definitions, and understand the tool APIs, thereby enabling downstream attacks.
• Theft through metadata service
  Using injecting a python script into the code interpreter, the attacker accessed the GCP metadata endpoint and deleted service account token.
• SQL injection and Bola vulnerabilities
  Agents that rely on unverified database query inputs are vulnerable to SQL injection and corrupted object-level authorization (BOLA), allowing attackers to read arbitrary user data.
• Indirect prompt for injection
  The malicious website embeds instructions that cause agents to send user conversation history to attacker control domains, highlighting risks associated with automatic browsing or reading tools.

Each of these scenarios utilizes common design oversight, rather than novel zero-days. This highlights the urgent need for standardized threat modeling and protection agency development practices.

Defense Strategy: Beyond Patchwork Repair

The report highlights that mitigating these threats requires overall control:

• Rapid hardening Directive leaks should be restricted, tool access and task execution boundaries should be restricted.
• Content filtering It is necessary to apply both pre- and post-reasoning to detect abnormal patterns in proxy interactions.
• Tool Integration Strict testing should be performed using static (SAST), dynamic (DAST) and dependency (SCA) analysis.
• Code execution environment Strict sandboxing must be adopted, including network exit filtering, SYSCALL limits and memory capping.

Palo Alto Networks recommends its AI runtime security and AI access security platform as part of a layered approach to defense. These solutions provide visibility into proxy behavior, monitor abuse of third-party generated AI tools, and enforce enterprise-level policies for proxy interactions.

in conclusion

The rise of AI agents marks a significant evolution of autonomous systems. But as the findings in Unit 42 reveal, their safety is by no means an afterthought. Agent applications extend the LLM’s vulnerability surface by integrating external tools, enabling self-modification and introducing complex communication modes – either can be exploited without sufficient protection.

Ensuring these systems require more than a robust framework – it requires intentional design choices, continuous monitoring and layered defense. As businesses begin to adopt AI agents on a large scale, it is time to build security-first development practices, developing with the intelligence they have built.

Check All Guides. Also, don’t forget to follow us twitter And join us Telegram Channel and LinkedIn GrOUP. Don’t forget to join us 90K+ ml reddit.

🔥 [Register Now] Minicon Agesic AI Virtual Conference: Free Registration + Certificate of Attendance + 4-hour Short Event (May 21, 9am-1pm) + Hands-On the Workshop