OWASP LLM Top-10 (2025) — MCPKernel Mapping¶
This document maps each item in the OWASP Top 10 for Large Language Model Applications (2025) to the concrete MCPKernel control(s) that mitigate it.
MCPKernel is positioned between the agent host (Copilot, Cursor, Claude Desktop, LangGraph, etc.) and the downstream MCP servers, so most controls are enforced at the proxy boundary without touching agent code.
| Code | Risk | Status | Primary controls |
|---|---|---|---|
| LLM01 | Prompt Injection | ✅ Full | Taint tracker, policy block_on_taint, trust-decay |
| LLM02 | Sensitive Information Disclosure | ✅ Full | Secret/PII detectors, sink-blocking, audit redaction |
| LLM03 | Supply Chain | ✅ Full | CycloneDX SBOM, uv.lock, Sigstore-signed DEEs |
| LLM04 | Data & Model Poisoning | 🟡 Partial | Context drift detection, retroactive taint |
| LLM05 | Improper Output Handling | ✅ Full | Post-execution taint scan, structured-content redaction |
| LLM06 | Excessive Agency | ✅ Full | Per-tool allow-list, sandbox backends, agent.yaml validator |
| LLM07 | System Prompt Leakage | ✅ Full | Taint label SYSTEM_PROMPT, exfil sinks, audit |
| LLM08 | Vector & Embedding Weaknesses | 🟡 Partial | Policy hooks for retrieval tools (RAG-aware rules) |
| LLM09 | Misinformation | ⚪ Out of scope | (model-side) |
| LLM10 | Unbounded Consumption | ✅ Full | Rate-limit, RU budgets, sandbox CPU/RAM caps |
Legend: ✅ Full — enforced by default. 🟡 Partial — primitives present, opt-in policy required. ⚪ Out of scope — model-layer concern; MCPKernel cannot mitigate at the protocol boundary.
LLM01 — Prompt Injection¶
Threat. Malicious instructions arrive via tool output, retrieved documents, or user input and override the agent's system prompt.
MCPKernel controls.
mcpkernel.taint.TaintTrackerlabels every string flowing into the agent with its provenance (USER_INPUT,TOOL_RESULT,EXTERNAL_DOC,SYSTEM_PROMPT).TaintHook.post_execution(since v0.2 advances) scans bothcontentandstructuredContentreturned by upstream tools so the agent never sees laundered taint.- Elicitation responses are auto-tainted as
USER_INPUT. - Policy rule
block_on_taint: [USER_INPUT]on sensitive sinks (shell, file-system, network egress) breaks the inject → exec chain. - Trust-decay model in
docs/trust/reduces a tool's effective trust after suspicious payloads, fail-closed for high-impact actions.
Policy snippet.
rules:
- id: block_user_input_to_shell
when:
tool: { matches: "shell.*|run_command" }
taint: { contains: [USER_INPUT] }
action: deny
owasp:
- LLM01
LLM02 — Sensitive Information Disclosure¶
Threat. API keys, PII, or internal secrets leak through tool calls or responses.
MCPKernel controls.
mcpkernel.taint.sourcesships detectors for OpenAI/Anthropic/AWS keys, JWTs, private SSH keys, emails, SSNs, credit cards.taint.sinksflags outbound HTTP, file writes outside/tmp, clipboard, and Slack/Teams tool families as sensitive sinks.- Audit log fields are redacted by default (
AuditLogger.redact=True). - Policy
deny_on_taint: [SECRET, PII]against any external sink.
LLM03 — Supply Chain¶
Threat. Compromised dependency, model weight, or MCP server.
MCPKernel controls.
- CycloneDX 1.6 SBOM attached to every tagged release
(
release.yml, Section E). uv.lockcommitted — 131 transitive packages pinned with hashes;uv sync --frozenis used in CI.- Sigstore-signed DEEs — every replayable trace carries a
bundle.v0.3attestation, optionally with in-toto DSSE audit-batch statements (mcpkernel.audit.attest_audit_batch). - CodeQL +
pip-audit+dependency-review-actiongate every PR and weekly schedule.
LLM04 — Data & Model Poisoning¶
Threat. Long-running agent has its memory or retrieved corpus poisoned over many sessions.
MCPKernel controls.
mcpkernel.dee.driftdetects environment drift between recorded and replayed executions.- Retroactive taint (
docs/trust/retroactive.md) re-labels prior records when a source is later marked compromised. - Gap: corpus-level integrity scanning is delegated to the host's vector store; MCPKernel exposes hook points but no built-in detector. Tracked for v0.4.
LLM05 — Improper Output Handling¶
Threat. Unescaped tool output passed downstream (HTML/SQL/shell).
MCPKernel controls.
TaintHook.post_executionscans tool results before the host sees them and attaches labels for downstream policies.transform.pyprovides redaction and structured-content rewriters invoked by hooks.- Policies can require
escape=trueon specific tool→destination edges.
LLM06 — Excessive Agency¶
Threat. Agent has unnecessary tool, network, or filesystem permissions.
MCPKernel controls.
- Agent manifest (
agent.yaml) enumerates exactly the tools an agent may call; the proxy denies anything outside the list (tool_validator). - Sandbox backends (Docker, Firecracker, WASM, Microsandbox) execute tools with the minimum required syscalls; eBPF probe (Linux) filters at the kernel boundary.
- HelM chart ships with
runAsNonRoot,readOnlyRootFilesystem,capabilities.drop: [ALL],seccomp: RuntimeDefault(Section D).
LLM07 — System Prompt Leakage¶
Threat. A tool answer or error message exposes the agent's hidden system prompt or developer instructions.
MCPKernel controls.
SYSTEM_PROMPTis a first-class taint label.- Built-in rule set
policies/owasp_asi_2026_strict.yamlincludesdeny_on_taint: [SYSTEM_PROMPT]against every network egress sink. - Audit log captures the original prompt + redaction marker.
LLM08 — Vector & Embedding Weaknesses¶
Threat. Adversarial documents in a RAG store, embedding inversion, cross-tenant leakage in shared indexes.
MCPKernel controls.
- Policy hooks fire on retrieval-style tool names (
*.search,*.query,rag.*) — operators can enforce tenant scoping and result taint propagation. - Gap: embedding-similarity outlier detection is not built in.
Recommended pattern documented in
docs/security/attack-defenses.md.
LLM09 — Misinformation¶
Out of scope. MCPKernel does not inspect model outputs for factual correctness. Recommend pairing with an evaluation harness (promptfoo, DeepEval, etc.).
LLM10 — Unbounded Consumption¶
Threat. Token-flooding, denial-of-wallet, infinite tool loops.
MCPKernel controls.
mcpkernel.proxy.rate_limit— per-agent, per-tool, per-tenant token buckets with Prometheusmcpkernel_rate_limit_hits_totalcounter.- Sandbox CPU and memory limits enforced by every backend.
- DEE replay budgets cap re-execution storms.
Cross-reference¶
| Policy preset | LLM coverage |
|---|---|
policies/minimal.yaml |
LLM01, LLM02 (basic) |
policies/owasp_asi_2026_strict.yaml |
LLM01, LLM02, LLM05, LLM06, LLM07, LLM10 |
policies/custom_template.yaml |
template — adapt for LLM03, LLM04, LLM08 |
For the OWASP Agentic Security Initiative (ASI) 2026 mapping see
docs/compliance/presets.md.