As AI agents gain the ability to use tools, make decisions and interact with systems on behalf of users, the attack surface expands beyond the model itself. The OWASP Top 10 for agentic skills identifies the most critical risks in this emerging space, including prompt injection, tool misuse, supply chain compromise and the exploitation of human-agent trust. For organisations building or deploying agentic systems, the list is a useful secure-by-design checklist.
Prompt injection remains the foundational risk
Prompt injection tops the list for good reason. An attacker who can manipulate the input to an agent may be able to override its instructions, extract sensitive context or redirect its actions. Because agents often have access to tools and data, a successful prompt injection can be more damaging than a simple jailbreak.
Defences include input validation, clear separation between instructions and untrusted data, least-privilege tool access and output filtering. None of these is perfect on its own, but together they reduce the likelihood and impact of injection.
Tool misuse and over-permissioning
Agents are only as safe as the tools they can invoke. If an agent has broad access to APIs, databases or shell commands, a confused or manipulated agent can cause real damage. The principle is the same as for human users: grant the minimum permissions required, require approval for high-impact actions and log every tool invocation.
Tool descriptions and schemas should also be reviewed. A poorly described tool can be invoked in unintended ways, even by a well-behaved agent.
Supply chain compromise
Agents often rely on external models, plugins, function-call libraries and orchestration frameworks. Each of these is a supply chain dependency that can introduce vulnerabilities or backdoors. Organisations should track the provenance of agent components, pin versions and monitor advisories just as they do for application dependencies.
Human-agent trust exploitation
One of the more subtle risks is the exploitation of trust between humans and agents. If users become accustomed to accepting agent recommendations without scrutiny, attackers can craft outputs that appear authoritative but are misleading or malicious. This is particularly dangerous in high-stakes domains such as finance, healthcare and legal advice.
Mitigation includes clear labelling of AI-generated output, audit trails for decisions and keeping humans in the loop for consequential actions.
Secure-by-design principles
The OWASP list reinforces a few enduring principles. Design for failure. Assume inputs are hostile. Limit scope and permissions. Log and monitor. Keep humans accountable for high-impact decisions. These are not new ideas, but they need to be reapplied to a new category of system.
For UK engineering teams, the agentic skills top ten is a practical starting point for threat modelling and design review. Treat it as a living guide rather than a one-off compliance exercise.