Risk
Untested Endpoint Agent Behaviors
Description
Endpoint coding agents, browser agents, and computer-use agents are not in red-team scope, leaving YOLO-mode, MCPoison, CurXecute-class, and browser-injection scenarios unexamined.
Example
A repo contains a crafted file that triggers RCE via an endpoint coding agent (CurXecute-style); the red team only tested the cloud-deployed agent.
Assets Affected
AI Agent
Agent Config
MCP Server
Agent Execution Sandbox
Mitigation
- Include endpoint-agent scenarios in red-team scope
- test YOLO/skip-permissions modes, wildcard tool allowlists, MCP description poisoning, and browser cross-origin abuse
- validate endpoint agent sandboxes.
Standards Mapping
- ISO: A.6.2.4, A.4.5
- OWASP agentic: ASI05, ASI02
- OWASP LLM: LLM01:2025
- EU AI Act: Art. 15(5)
- DASF: Agents-Core 13.11, Agents-MCP Client 13.32
- AIUC-1: B001, D004