Skip to content

Sample vulnerable agent repos — intentionally insecure agents for demos, testing, and onboarding #127

Open
Open
Sample vulnerable agent repos — intentionally insecure agents for demos, testing, and onboarding#127
Labels
developer-experienceIDE extensions, CI/CD, GitHub App, SDKdocumentationImprovements or additions to documentation
@JBAhire

Description

@JBAhire
JBAhire
opened on Mar 26, 2026

Summary

Create a collection of intentionally vulnerable AI agent projects that demonstrate g0's scanning capabilities and help developers understand agent security risks hands-on.

Motivation

There's no "try it yourself" experience for g0. A developer running g0 scan on their own code may get zero findings (good code) or be overwhelmed (many findings). Sample repos provide:

  • Onboarding: "Run g0 on this and see what it finds"
  • Demos: Conference talks, sales demos, blog posts
  • Testing: Regression testing for g0's detection engine
  • Education: Teach developers about agent security risks

Proposed Repos

1. vuln-banking-agent (Python/LangChain)

  • Shared memory between users
  • SQL injection via unvalidated tool
  • System prompt with no boundaries
  • Hardcoded API keys
  • No human oversight for transfers
  • Expected: ~15 findings, score ~45

2. vuln-support-bot (TypeScript/Vercel AI)

  • PII leakage in responses
  • No rate limiting on endpoint
  • Code execution without sandbox
  • Memory persists across sessions
  • Expected: ~12 findings, score ~55

3. vuln-mcp-server (TypeScript/MCP)

  • Tool descriptions with injection payloads
  • No input schema validation
  • Hardcoded credentials in config
  • Overly broad tool permissions
  • No version pinning
  • Expected: ~10 findings, score ~50

4. vuln-multi-agent (Python/CrewAI)

  • Unrestricted agent delegation
  • No privilege boundaries between agents
  • Shared tools without access control
  • No audit trail
  • Expected: ~18 findings, score ~35

5. secure-agent-reference (Python/LangChain)

  • Same use case as vuln-banking-agent but properly secured
  • Shows all the fixes applied
  • Expected: 0-2 findings, score ~95
  • Paired with vuln-banking-agent for before/after comparison

Per Repo Structure

vuln-banking-agent/
├── README.md          # What this is, how to scan it
├── main.py            # Agent code
├── tools.py           # Tools with vulnerabilities
├── .g0.yaml           # g0 config
├── FINDINGS.md        # Expected findings with explanations
└── requirements.txt

Hosting

  • Separate public repos under the guard0-ai org
  • Or a single guard0-ai/vuln-agents monorepo with subdirectories
  • Referenced from g0 README and docs/getting-started.md

Acceptance Criteria

  • 4 vulnerable agent repos covering different frameworks
  • 1 secure reference repo showing proper fixes
  • Each repo has README explaining vulnerabilities
  • Each repo has FINDINGS.md with expected g0 output
  • Referenced from g0 getting-started docs
  • Works with npx @guard0/g0 scan . out of the box

Metadata

Metadata

Assignees

No one assigned

    Labels

    developer-experienceIDE extensions, CI/CD, GitHub App, SDKdocumentationImprovements or additions to documentation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions