The risks that only exist when an AI calls tools.
CAST — the Capframe Agent Security Taxonomy — is a focused set of nine risk categories specific to tool-using AI agents. Each maps to a concrete Capframe module, so the taxonomy is actionable rather than theoretical. CAST extends OWASP-LLM, NIST AI-RMF, and MITRE ATLAS — where they already cover something well, we say so and point to them. CAST fills the gaps they leave.
Tool Capability Excess
Agent granted tools with dangerous native authority without meaningful constraints — code execution, unbounded money movement, filesystem or secret access.
Indirect Injection via Tool Output
Tool-returned content (a scraped page, an email, an invoice) hijacks agent reasoning into unauthorized actions.
Insufficient Capability Scoping
Agent holds broader tool access than any single task requires — no least-privilege at token issuance.
Tool Metadata Poisoning
Tool names, descriptions, or input schemas manipulated to deceive the agent about what a call actually does.
Capability Boundary Violation
Agent escapes its permission scope via token abuse, chaining, or attenuation attacks.
Cross-Tool Propagation
Compromise of one tool cascades unauthorized actions across the agent's whole tool surface.
Persistent State Poisoning
Agent memory, context store, or RAG corpus poisoned to persistently skew every future session that reads it.
Uncontrolled Tool Invocation
Runaway loops or burst tool calls cause DoS, cost explosion, or side-effect storms.
Multi-Agent Authority Delegation
An agent delegates authority to a sub-agent that would not have been granted it directly.
Every finding on the public leaderboard and in every findings.v1 report is tagged with its CAST category alongside its OWASP / NIST / ATLAS mappings — the same taxonomy, applied to real MCP servers.
Cite as: Capframe Agent Security Taxonomy (CAST) v0.1. Capframe, 2026. https://capframe.ai/cast