Security: OWASP Agent Memory Guard – memory poisoning protection for AutoGen agents

[vgudur-dev]

Security Resource for AutoGen Users

Hi AutoGen team! 👋

I wanted to share a security tool that's directly relevant to AutoGen-based multi-agent systems:

OWASP Agent Memory Guard (pip install agent-memory-guard)

It's an OWASP-backed Python middleware that detects and blocks memory poisoning attacks in LLM agents — a growing attack surface as multi-agent systems like AutoGen become more widely deployed.

Why this matters for AutoGen:

• Multi-agent systems share memory across agents, creating a larger attack surface
• A poisoned memory in one agent can propagate to others
• Adversarial inputs can be stored in agent memory and trigger malicious behavior on recall

The library provides:

• Real-time memory write/read scanning
• Semantic anomaly detection
• Configurable threat response (block, sanitize, alert)

GitHub: https://github.com/OWASP/www-project-agent-memory-guard
PyPI: https://pypi.org/project/agent-memory-guard/

Would love to discuss integration patterns with AutoGen's memory architecture!

[Jairooh]

Memory poisoning is a real blind spot in multi-agent systems. Beyond detecting poisoned memory, you also need pre-execution guardrails to block unsafe actions even if memory is compromised. AgentShield provides this alongside stress testing of memory poisoning scenarios. Worth exploring as a complementary layer to Agent Memory Guard.

[vgudur-dev]

@Jairooh — great point! You're absolutely right that pre-execution guardrails are a complementary layer. AMG focuses specifically on the memory write/read path (OWASP ASI06), while pre-execution guardrails address the action execution path (ASI01/ASI02). They're designed to work together.

Quick update on traction since opening this issue: AMG has been merged into the UK Government BEIS inspect_evals framework as a benchmark target (https://ukgovernmentbeis.github.io/inspect_evals/evals/safeguards/agent_threat_bench/), which validates the threat model. The AgentThreatBench benchmark suite also includes 200+ adversarial memory payloads that can be used to stress-test both AMG and pre-execution guardrails together.

@Autogen team — would love to explore integration patterns. Happy to draft a design proposal for an opt-in memory validation hook in AutoGen's memory architecture.

[vgudur-dev]

v0.3.0 Update — just shipped a major release that makes AMG significantly more useful for AutoGen workflows:

New in v0.3.0:

• CLI scanner: amg scan — scan memory files/directories for threats from the command line
• • REST API server: amg serve — deploy as a standalone microservice for language-agnostic integration
• • • ML-based detection: Optional DistilBERT model for semantic injection detection beyond regex patterns
• • • • 3 new detectors: Tool abuse (ASI-03), privilege escalation (ASI-04), excessive autonomy (ASI-09)
• • • • • GitHub Action: SARIF output for Security tab integration in CI/CD
          AutoGen-specific: We now have a install_guard() reply-hook pattern in development (see OWASP/www-project-agent-memory-guard#35) that protects GroupChat scenarios where internal dispatch bypasses wrapper agents.

from agent_memory_guard.integrations.autogen import install_guard

# One-liner protection for any ConversableAgent
install_guard(my_agent)

Would welcome feedback from the AutoGen team on the hook-based approach vs. middleware patterns for multi-agent memory protection.