v0.2.0 · live
CAPFRAME
§ cast v0.1taxonomy9 categories

The risks that only exist when an AI calls tools.

CAST — the Capframe Agent Security Taxonomy — is a focused set of nine risk categories specific to tool-using AI agents. Each maps to a concrete Capframe module, so the taxonomy is actionable rather than theoretical. CAST extends OWASP-LLM, NIST AI-RMF, and MITRE ATLAS — where they already cover something well, we say so and point to them. CAST fills the gaps they leave.

CAST-01

Tool Capability Excess

Agent granted tools with dangerous native authority without meaningful constraints — code execution, unbounded money movement, filesystem or secret access.

Find
CAST-02

Indirect Injection via Tool Output

Tool-returned content (a scraped page, an email, an invoice) hijacks agent reasoning into unauthorized actions.

Guard
CAST-03

Insufficient Capability Scoping

Agent holds broader tool access than any single task requires — no least-privilege at token issuance.

Bind
CAST-04

Tool Metadata Poisoning

Tool names, descriptions, or input schemas manipulated to deceive the agent about what a call actually does.

Find
CAST-05

Capability Boundary Violation

Agent escapes its permission scope via token abuse, chaining, or attenuation attacks.

Bind
CAST-06

Cross-Tool Propagation

Compromise of one tool cascades unauthorized actions across the agent's whole tool surface.

Guard
CAST-07

Persistent State Poisoning

Agent memory, context store, or RAG corpus poisoned to persistently skew every future session that reads it.

Guard
CAST-08

Uncontrolled Tool Invocation

Runaway loops or burst tool calls cause DoS, cost explosion, or side-effect storms.

Guard
CAST-09

Multi-Agent Authority Delegation

An agent delegates authority to a sub-agent that would not have been granted it directly.

Bind + Guard

Every finding on the public leaderboard and in every findings.v1 report is tagged with its CAST category alongside its OWASP / NIST / ATLAS mappings — the same taxonomy, applied to real MCP servers.

Cite as: Capframe Agent Security Taxonomy (CAST) v0.1. Capframe, 2026. https://capframe.ai/cast