Risk
Dynamic/On-the-Fly Dependency Injection
Description
Agent fetches/loads plugins, libraries, or code packages during execution, introducing supply chain, malware, or licensing risks.
Example
Agent installs a PyPI package at runtime that contains a backdoor or violates software license.
Assets Affected
Agentic platform (no code)
Tool / function
Coding agent (config)
Mitigation
- Disable or tightly control dynamic loading of code/dependencies
- Use pre-approved allowlists
- Scan dependencies for vulnerabilities and license compliance
- Monitor and log all installation attempts
Standards Mapping
- ISO 42001: A.10.3, A.6.2.6
- OWASP Top 10 for LLM: LLM03
- NIST AI RMF: GOVERN 6.1, MANAGE 3.1
- DASF v2: MODEL 7.3, ALGORITHMS 5.4