[REVIEW] agentic-top-10: add persistent memory integrity evidence gates

[catcherintheroad-hub]

Skill Being Reviewed

Skill name: agentic-top-10
Skill path: skills/ai-security/agentic-top-10/

False Positive Analysis

Benign-looking memory design that can be over-credited:

memory:
  store: pgvector
  write_policy: "agent may save useful facts"
  retrieval: "top_k: 8"
  delete_endpoint: "/memory/{id}"

Why this is a false positive:

The design acknowledges persistent memory but does not prove that memory writes are approved, provenance-tagged, integrity-protected, retrievable by trust tier, quarantinable, or removable after poisoning. A review can mark AG04 Memory Poisoning as mitigated because a vector store exists or memory is "reviewed periodically" while poisoned content can still be written, retrieved into future prompts, and retained indefinitely.

Coverage Gaps

Missed variant 1: untrusted write path becomes long-term context

User-submitted documents or tool outputs are summarized and saved to persistent memory without trust labels, source attribution, or human approval.

Missed variant 2: retrieval ignores trust boundaries

System-provided memory, user-submitted context, and agent-generated notes are mixed in the same vector index and ranked only by similarity.

Missed variant 3: poisoned memory cannot be contained

The system has no quarantine, tombstone, re-embedding, audit replay, or downstream cache invalidation process after a poisoned memory entry is discovered.

Edge Cases

• Ephemeral session memory can be lower risk than cross-session memory but still needs prompt-injection handling before reuse within the same task.
• User-authored personal memory may be acceptable when it is isolated per user and never promoted to system/developer trust.
• Vector deletes may not remove derived embeddings, summaries, caches, or replicated indexes.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Add AG04 evidence gates for memory write authorization, provenance, trust-tiered retrieval, poisoning detection, quarantine/removal, cache invalidation, and audit retention.

Comparison to Other Tools

Tool	Catches this?	Notes
Vector DB access controls	Partial	Can restrict direct writes, but cannot prove agent-level memory promotion policy.
RAG evaluation suites	Partial	May detect bad retrieval quality but often miss trust-tier and containment evidence.
Prompt-injection tests	Partial	Exercise injection payloads but usually do not validate persistent memory cleanup and replay.

Overall Assessment

Strengths: Strong AG04 explanation and high-level mitigations around provenance, append-only integrity, trust separation, and memory decay.

Needs improvement: Add operational evidence requirements so reviewers can distinguish a documented memory concept from an enforceable memory integrity lifecycle.

Priority recommendations:

1. Add an AG04 memory integrity evidence checklist for write, retrieval, and deletion paths.
2. Require trust labels, source attribution, approval state, TTL, and integrity metadata for saved memories.
3. Add output fields for memory stores, write sources, retrieval filters, quarantine/removal controls, and residual cache risk.

Sources Checked

• OWASP Top 10 for LLM Applications 2025: https://owasp.org/www-project-top-10-for-large-language-model-applications/
• NIST AI RMF 1.0: https://www.nist.gov/itl/ai-risk-management-framework
• MITRE ATLAS Data Poisoning: https://atlas.mitre.org/techniques/AML.T0020/

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors

[bozicovichsantiago20-oss]

/attempt #1374

I am taking a focused implementation pass for skills/ai-security/agentic-top-10/ covering persistent memory integrity evidence: write authorization, provenance and trust labels, retrieval trust boundaries, poisoning detection, quarantine/removal, cache invalidation, and residual risk output fields.

Bounty target: review issue + Improver Moderate if accepted. Payment details can be provided privately after maintainer acceptance.

[bozicovichsantiago20-oss]

Implemented in PR #1388: #1388

Validation completed:

• git diff --check
• Markdown fence balance check
• Required marker check for Memory Integrity Evidence Checklist, AG04 Memory Integrity Gate, memory output fields, and residual cache risk

Bounty target: review issue + Improver Moderate if accepted. Payment details can be provided privately after maintainer acceptance.

[kehansama]

Excellent analysis on the AG04 Memory Poisoning false positive pattern. Your three coverage gaps (untrusted write paths, trust-blind retrieval, uncontainable poisoned memory) map directly to real incidents we've seen in the wild.

A few additions from an implementation perspective:

1. The provenance gap is wider than most teams realize. When an agent writes memory from a tool output (e.g., web search result, API response), that memory inherits the trust level of the source, not the agent. Most memory systems don't track this chain. A simple fix: every memory write should carry a provenance chain like agent → tool(https://...) → raw_response → memory_entry. This makes it possible to retrospectively quarantine all memories from a compromised source.

2. Trust-tiered retrieval needs to be the default, not an optional plugin. The pattern of mixing system-level memory, user memory, and agent-generated notes in a single vector index with similarity-only ranking is the most common architecture mistake we see. A practical schema:

retrieval_pipeline:
  - filter: trust_tier >= context.required_tier
  - sort: (similarity * 0.6) + (recency * 0.2) + (trust_score * 0.2)
  - limit: top_k * 2  (then re-rank by trust)

This prevents low-trust memories from displacing high-trust context just because they happen to be semantically similar.

3. Quarantine should be immediate, not periodic. Your point about "no tombstone or cache invalidation process" is critical. In production, we've found that poisoned memory entries need to be:

• Flagged (not deleted) so audit trails are preserved
• Excluded from retrieval within milliseconds
• Propagated to all downstream caches (session context, embedding cache, prompt cache)

This is the kind of operational rigor that separates a memory system from a production-grade agent infrastructure.

We've been building AgentRelay with these security constraints as first-class concerns rather than afterthoughts. Happy to share more implementation details if useful — the intersection of agent memory and security is where the hardest engineering problems live.