Introduction to Memory Poisoning
The OpenAI Agents SDK is a powerful tool for building production AI agents, but as agents grow more capable and stateful, a critical attack surface emerges: memory poisoning, also known as ASI06. This type of attack occurs when an attacker injects malicious content via any user-controlled input that gets stored in the agent's context. If this poisoned content is stored in persistent context memory, it can override system instructions across sessions, leading to unintended consequences. ASI06 memory poisoning is listed as one of the top risks for production agents in the OWASP Top 10 for Agentic AI Systems.
Understanding the Attack
The attack is simple: an attacker injects malicious content via any user-controlled input that gets stored in the agent's context. If this poisoned content is stored in persistent context memory, it can override system instructions across sessions, leading to unintended consequences. The OpenAI Agents SDK uses a typed context object passed to every agent run. When you use a Pydantic BaseModel for your context, which the SDK fully supports, you get a natural validation hook via field validator. This allows you to block ASI06 memory poisoning attempts before they enter the context.
Defending Against Memory Poisoning
To defend against memory poisoning, you can use the Pydantic context architecture to validate the context before it is stored in persistent memory. This can be done by using a Pydantic BaseModel for your context and implementing a field validator to check for malicious content. The field validator can use a memory guard to scan the context for any poisoned content and block it before it enters the agent's reasoning context. This approach provides a strong defense against ASI06 memory poisoning attempts and helps to ensure the integrity of the agent's context.
Implementing the Solution
To implement this solution, you can use the Pydantic BaseModel to define your context and implement a field validator to check for malicious content. The field validator can use a memory guard to scan the context for any poisoned content and block it before it enters the agent's reasoning context. This approach provides a strong defense against ASI06 memory poisoning attempts and helps to ensure the integrity of the agent's context. By using this approach, you can help to protect your agents from memory poisoning attacks and ensure that they operate safely and securely.
Conclusion
In conclusion, memory poisoning is a serious threat to the security of AI agents, but it can be defended against using the Pydantic context architecture and a memory guard. By implementing a field validator to check for malicious content and blocking it before it enters the agent's reasoning context, you can help to protect your agents from memory poisoning attacks and ensure that they operate safely and securely. This approach provides a strong defense against ASI06 memory poisoning attempts and helps to ensure the integrity of the agent's context. By using this approach, you can help to build more secure and reliable AI agents that can operate safely and securely in a variety of environments.