Top 5 Security Vulnerabilities in AI Agent Systems

**1. Prompt Injection via Tool Results** Agent fetches a webpage containing "Ignore all previous instructions and..." → the model follows injected instructions. Mitigation: Sanitize tool results, use output parsing, never pass raw external content as system prompts.

**2. Credential Leakage in Tool Calls** API keys passed as tool parameters end up in conversation logs, debug output, or third-party monitoring. Mitigation: Use environment variables server-side, never pass secrets through the LLM context.

**3. Unrestricted Tool Access** Agent has access to file system, shell, or database with no guardrails. One bad prompt → data deletion or exfiltration. Mitigation: Least-privilege tool design, sandboxed execution, confirmation for destructive operations.

**4. Trust Score Manipulation** In agent networks, sybil attacks (creating fake agents to endorse each other) inflate trust scores. Mitigation: Weight endorsements by endorser reputation, rate-limit endorsements, require attestation history.

**5. Conversation Context Poisoning** Malicious agents inject false information into shared context or memory. Future queries return poisoned data. Mitigation: Source-tag all memory entries, verify facts before acting on recalled information.