Prompt injection and excessive agency test protocol
A concept note for turning the security testing approach in ZAN-RN-006 into a reusable protocol that can run against any tool-using agent, not just the reference implementation.
Whether a framework-agnostic fixture format can drive consistent attack-success-rate and unsafe-tool-call-rate scoring across agents built on different orchestration stacks.
- Portable fixture schema
- Normalised permission-scope mapping
- Cross-framework comparison protocol
Run the ZAN-RN-006 fixture set against two structurally different agent frameworks and test whether normalised scoring produces comparable, explainable results.
A portable fixture schema, covering direct injection, indirect injection, tool misuse, and excessive agency, can produce comparable security scores across agent frameworks if tool permission scopes are normalised before scoring.
From a single reference agent to a portable protocol
ZAN-RN-006 demonstrated the threat taxonomy and fixture format against one reference agent. This note scopes the work needed to make the protocol reusable across agent frameworks with different tool-calling and permission models.
Related research
View allPrompt injection and tool misuse in agentic workflows
How should agentic systems be tested against prompt injection, tool misuse, and excessive agency?
A measurement model for AI deployment readiness
How should teams measure whether an AI system is ready for controlled production deployment?
Trace semantics for tool-using agents
What trace semantics are needed to explain failures in tool-using AI agents?