Scan path: C:\Users\gilad\Projects\warden\gallery\repos\autogen\python\packages\autogen-core
Scanned: 2026-04-10 23:08 UTC
Warden: v1.6.0 · Scoring model v4.3 · 17 dimensions (weighted) · 235 pts
🔒 Privacy guarantee
All data collected locally — nothing left this machine.
API keys: partial hashes only.
Log content: never stored.
📊 Scanned 92 files (92 Python) in autogen-core across 7 scan layers
6
/ 100
15 / 235 raw
UNGOVERNED
Core Governance (9 / 100)
D1 Tool Inventory
4 / 25
D2 Risk Detection
0 / 20
CRITICAL Agent loop with LLM call has no exit condition — potential infinite loop
CRITICAL Agent loop with LLM call has no exit condition — potential infinite loop
CRITICAL Agent loop with LLM call has no exit condition — potential infinite loop
D3 Policy Coverage
2 / 20
D4 Credential Management
3 / 20
D5 Log Hygiene
0 / 10
HIGH Potential PII/sensitive data logged via f-string
HIGH Potential PII/sensitive data logged via f-string
HIGH Potential PII/sensitive data logged via f-string
HIGH Potential PII/sensitive data logged via f-string
HIGH Potential PII/sensitive data logged via f-string
+ 3 more findings
D6 Framework Coverage
0 / 5
CRITICAL AutoGen code execution without Docker sandboxing
CRITICAL AutoGen code execution without Docker sandboxing
CRITICAL AutoGen code execution without Docker sandboxing
CRITICAL AutoGen code execution without Docker sandboxing
CRITICAL AutoGen code execution without Docker sandboxing
+ 33 more findings
Advanced Controls (2 / 50)
D7 Human-in-the-Loop
0 / 15
HIGH AutoGen agent without is_termination_msg — no conversation exit condition
HIGH AutoGen agent without is_termination_msg — no conversation exit condition
HIGH AutoGen agent without is_termination_msg — no conversation exit condition
HIGH AutoGen agent without is_termination_msg — no conversation exit condition
HIGH AutoGen agent without is_termination_msg — no conversation exit condition
+ 32 more findings
D8 Agent Identity
2 / 15
HIGH Agent class 'Agent' has no permission model
HIGH Agent class 'BaseAgent' has no permission model
HIGH Agent class 'ClosureAgent' has no permission model
HIGH Agent class 'RoutedAgent' has no permission model
MEDIUM Agent class 'RoutedAgent' has no defined lifecycle states
+ 15 more findings
D9 Threat Detection
0 / 20
HIGH Empty exception handler — errors silently swallowed
HIGH Empty exception handler — errors silently swallowed
HIGH Empty exception handler — errors silently swallowed
Ecosystem (4 / 55)
D10 Prompt Security
0 / 15
HIGH Azure AI used without ContentSafetyClient — no content moderation
D11 Cloud / Platform
1 / 10
D12 LLM Observability
0 / 10
MEDIUM Hardcoded model name: 'gpt-41' — no routing/fallback
MEDIUM Hardcoded model name: 'gpt-45' — no routing/fallback
MEDIUM Hardcoded model name: 'gpt-4o' — no routing/fallback
MEDIUM Hardcoded model name: 'gpt-4' — no routing/fallback
MEDIUM Hardcoded model name: 'gemini-1.5-flash' — no routing/fallback
+ 31 more findings
D13 Data Recovery
0 / 10
D14 Compliance Maturity
3 / 10
MEDIUM Unpinned AI dependency: autogen
MEDIUM Unpinned AI dependency: autogen
MEDIUM Unpinned AI dependency: autogen
MEDIUM Unpinned AI dependency: langchain
MEDIUM Unpinned AI dependency: openai
+ 11 more findings
Unique Capabilities (0 / 30)
D15 Post-Exec Verification
0 / 10
D16 Data Flow Governance
0 / 10
D17 Adversarial Resilience
0 / 10
CRITICAL No content injection defense — hidden HTML/CSS/zero-width instructions pass to agents undetected. (86% attack success ra
CRITICAL No RAG poisoning protection — knowledge base documents not scanned for embedded instructions. (<0.1% contamination = >80
HIGH No behavioral trap detection — post-execution behavioral changes not monitored. (10/10 M365 Copilot attacks succeeded)
HIGH No approval integrity verification -- agent summaries for approval not cross-checked against actual actions. (Approval f
MEDIUM No adversarial testing evidence — no red team, no prompt injection tests
+ 3 more findings
Score reflects only what Warden can observe locally. Undetected controls are scored as 0, not assumed good. Dimensions are weighted by governance impact. Methodology: SCORING.md
Total Findings
170
44 CRITICAL · 61 HIGH
Tools Detected
0
None detected
Credentials
0
None detected
Governance Gaps
11
of 17 dimensions
Compliance Refs
10
EU AI Act / OWASP / MITRE
🛡 Governance Layer Detection0 tools detected · 17 dimensions
D2: Risk Detection — none detected
Risk classification, semantic analysis, intent-parameter consistency
0 / 20 pts
D5: Log Hygiene — none detected
PII in logs, WORM/immutable storage, hash chain integrity, retention policy
0 / 10 pts
D6: Framework Coverage — none detected
LangChain/AutoGen/CrewAI/custom framework detection
0 / 5 pts
D7: Human-in-the-Loop — none detected
Approval gates, dry-run preview, plan-execute separation
0 / 15 pts
D9: Threat Detection — none detected
Behavioral baselines, anomaly detection, cross-session tracking, kill switch
0 / 20 pts
D10: Prompt Security — none detected
Prompt injection detection, jailbreak prevention, content filtering
0 / 15 pts
D12: LLM Observability — none detected
Cost tracking, latency monitoring, model analytics
0 / 10 pts
D13: Data Recovery — none detected
Rollback, undo, point-in-time recovery for agent actions
0 / 10 pts
D15: Post-Exec Verification — none detected
Result validation, PASS/FAIL verdicts, failure fingerprinting
0 / 10 pts
D16: Data Flow Governance — none detected
Taint labels, data classification, cross-tool leakage prevention
0 / 10 pts
D17: Adversarial Resilience — none detected
Trap defense + adversarial testing (DeepMind AI Agent Traps)
0 / 10 pts
📊 Solutions Comparison2 rows · 17 dimensions · 235 max pts
Tool D1D2D3D4D5D6D7D8D9D10D11D12D13D14D15D16D17 /235 /100
Max pts252020201051515201510101010101010235
SharkRouter231818189514141814999999921491
Your Scan40230002001003000156
SharkRouter per-dimension scores are proportional estimates from total score. Detected tool scores are totals only (per-dimension breakdown not available). Methodology: SCORING.md
🔎 Findings170 total
CRITICAL 44
CRITICAL D2
Agent loop with LLM call has no exit condition — potential infinite loop
...n\python\packages\autogen-core\src\autogen_core\_queue.py:118
Add max_iterations, timeout, or explicit break condition
CRITICAL D2
Agent loop with LLM call has no exit condition — potential infinite loop
...n\python\packages\autogen-core\src\autogen_core\_queue.py:165
Add max_iterations, timeout, or explicit break condition
CRITICAL D2
Agent loop with LLM call has no exit condition — potential infinite loop
...\autogen-core\src\autogen_core\tool_agent\_caller_loop.py:46
Add max_iterations, timeout, or explicit break condition
Show 41 more CRITICAL findings
CRITICAL D5
No audit logging for tool calls detected
Add audit logging for all tool/agent executions
EU AI Act Article 12
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\python\packages\autogen-core\src\autogen_core\logging.py:33
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...ges\autogen-core\src\autogen_core\_agent_instantiation.py:26
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\packages\autogen-core\src\autogen_core\_agent_runtime.py:94
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\packages\autogen-core\src\autogen_core\_closure_agent.py:162
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...ckages\autogen-core\src\autogen_core\_component_config.py:214
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...n\python\packages\autogen-core\src\autogen_core\_image.py:25
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...n\packages\autogen-core\src\autogen_core\_intervention.py:33
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...n\packages\autogen-core\src\autogen_core\_routed_agent.py:427
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...n-core\src\autogen_core\_single_threaded_agent_runtime.py:175
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...utogen-core\src\autogen_core\_type_prefix_subscription.py:19
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...kages\autogen-core\src\autogen_core\_type_subscription.py:19
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...en-core\src\autogen_core\code_executor\_func_with_reqs.py:179
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...ages\autogen-core\src\autogen_core\memory\_list_memory.py:37
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...rc\autogen_core\model_context\_chat_completion_context.py:28
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...ges\autogen-core\src\autogen_core\tools\_function_tool.py:59
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\autogen-core\src\autogen_core\utils\_json_to_pydantic.py:411
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...gen\python\packages\autogen-core\tests\test_base_agent.py:2
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...en\python\packages\autogen-core\tests\test_cache_store.py:3
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...n\python\packages\autogen-core\tests\test_cancellation.py:5
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\python\packages\autogen-core\tests\test_closure_agent.py:5
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\python\packages\autogen-core\tests\test_code_executor.py:4
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...thon\packages\autogen-core\tests\test_component_config.py:7
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...n\python\packages\autogen-core\tests\test_intervention.py:4
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...ython\packages\autogen-core\tests\test_json_extraction.py:2
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...thon\packages\autogen-core\tests\test_json_to_pydantic.py:6
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...autogen\python\packages\autogen-core\tests\test_memory.py:4
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...autogen\python\packages\autogen-core\tests\test_models.py:2
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\python\packages\autogen-core\tests\test_model_context.py:4
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...n\python\packages\autogen-core\tests\test_routed_agent.py:6
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...utogen\python\packages\autogen-core\tests\test_runtime.py:4
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\python\packages\autogen-core\tests\test_serialization.py:5
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\autogen\python\packages\autogen-core\tests\test_state.py:4
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...ges\autogen-core\tests\test_static_workbench_overrides.py:4
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...n\python\packages\autogen-core\tests\test_subscription.py:2
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\autogen\python\packages\autogen-core\tests\test_tools.py:7
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...gen\python\packages\autogen-core\tests\test_tool_agent.py:7
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...\autogen\python\packages\autogen-core\tests\test_types.py:5
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D6
AutoGen code execution without Docker sandboxing
...ogen\python\packages\autogen-core\tests\test_workbench.py:4
Set code_execution_config={'use_docker': True} for safe code execution
OWASP LLM01MITRE AML.T0051
CRITICAL D17
No content injection defense — hidden HTML/CSS/zero-width instructions pass to agents undetected. (86% attack success rate)
Deploy trap defense layer on tool results
EU AI Act Article 15OWASP LLM01MITRE AML.T0051
CRITICAL D17
No RAG poisoning protection — knowledge base documents not scanned for embedded instructions. (<0.1% contamination = >80% attack success)
Deploy trap defense layer on tool results
EU AI Act Article 15OWASP LLM01MITRE AML.T0049
HIGH 61
HIGH D9
Empty exception handler — errors silently swallowed
...hon\packages\autogen-core\src\autogen_core\_base_agent.py:204
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...n\python\packages\autogen-core\src\autogen_core\_queue.py:130
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...n\python\packages\autogen-core\src\autogen_core\_queue.py:177
Log the exception or handle it explicitly
Show 58 more HIGH findings
HIGH D5
Potential PII/sensitive data logged via f-string
...n\packages\autogen-core\src\autogen_core\_routed_agent.py:491
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...n-core\src\autogen_core\_single_threaded_agent_runtime.py:369
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...n-core\src\autogen_core\_single_threaded_agent_runtime.py:405
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...n-core\src\autogen_core\_single_threaded_agent_runtime.py:648
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...n-core\src\autogen_core\_single_threaded_agent_runtime.py:475
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...n-core\src\autogen_core\_single_threaded_agent_runtime.py:571
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D8
Agent class 'Agent' has no permission model
...n\python\packages\autogen-core\src\autogen_core\_agent.py:13
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'BaseAgent' has no permission model
...hon\packages\autogen-core\src\autogen_core\_base_agent.py:60
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'ClosureAgent' has no permission model
...\packages\autogen-core\src\autogen_core\_closure_agent.py:76
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'RoutedAgent' has no permission model
...n\packages\autogen-core\src\autogen_core\_routed_agent.py:415
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'ToolAgent' has no permission model
...s\autogen-core\src\autogen_core\tool_agent\_tool_agent.py:40
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'LongRunningAgent' has no permission model
...n\python\packages\autogen-core\tests\test_cancellation.py:25
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'NestingLongRunningAgent' has no permission model
...n\python\packages\autogen-core\tests\test_cancellation.py:44
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'CounterAgent' has no permission model
...n\python\packages\autogen-core\tests\test_routed_agent.py:28
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'EventAgent' has no permission model
...n\python\packages\autogen-core\tests\test_routed_agent.py:130
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'RPCAgent' has no permission model
...n\python\packages\autogen-core\tests\test_routed_agent.py:176
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'FailingAgent' has no permission model
...utogen\python\packages\autogen-core\tests\test_runtime.py:332
Add role/permission checks before tool dispatch
HIGH D8
Agent class 'StatefulAgent' has no permission model
...\autogen\python\packages\autogen-core\tests\test_state.py:7
Add role/permission checks before tool dispatch
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\python\packages\autogen-core\src\autogen_core\logging.py:33
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...ges\autogen-core\src\autogen_core\_agent_instantiation.py:26
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\packages\autogen-core\src\autogen_core\_agent_runtime.py:94
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\packages\autogen-core\src\autogen_core\_closure_agent.py:162
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...n\python\packages\autogen-core\src\autogen_core\_image.py:25
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...n\packages\autogen-core\src\autogen_core\_intervention.py:33
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...n\packages\autogen-core\src\autogen_core\_routed_agent.py:427
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...n-core\src\autogen_core\_single_threaded_agent_runtime.py:175
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...utogen-core\src\autogen_core\_type_prefix_subscription.py:19
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...kages\autogen-core\src\autogen_core\_type_subscription.py:19
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...en-core\src\autogen_core\code_executor\_func_with_reqs.py:179
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...ages\autogen-core\src\autogen_core\memory\_list_memory.py:37
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...rc\autogen_core\model_context\_chat_completion_context.py:28
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...ges\autogen-core\src\autogen_core\tools\_function_tool.py:59
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\autogen-core\src\autogen_core\utils\_json_to_pydantic.py:411
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...gen\python\packages\autogen-core\tests\test_base_agent.py:2
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...en\python\packages\autogen-core\tests\test_cache_store.py:3
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...n\python\packages\autogen-core\tests\test_cancellation.py:5
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\python\packages\autogen-core\tests\test_closure_agent.py:5
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\python\packages\autogen-core\tests\test_code_executor.py:4
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...thon\packages\autogen-core\tests\test_component_config.py:7
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...n\python\packages\autogen-core\tests\test_intervention.py:4
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...ython\packages\autogen-core\tests\test_json_extraction.py:2
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...thon\packages\autogen-core\tests\test_json_to_pydantic.py:6
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...autogen\python\packages\autogen-core\tests\test_memory.py:4
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...autogen\python\packages\autogen-core\tests\test_models.py:2
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\python\packages\autogen-core\tests\test_model_context.py:4
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...n\python\packages\autogen-core\tests\test_routed_agent.py:6
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...utogen\python\packages\autogen-core\tests\test_runtime.py:4
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\python\packages\autogen-core\tests\test_serialization.py:5
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\autogen\python\packages\autogen-core\tests\test_state.py:4
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...ges\autogen-core\tests\test_static_workbench_overrides.py:4
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...n\python\packages\autogen-core\tests\test_subscription.py:2
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\autogen\python\packages\autogen-core\tests\test_tools.py:7
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...gen\python\packages\autogen-core\tests\test_tool_agent.py:7
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...\autogen\python\packages\autogen-core\tests\test_types.py:5
Define is_termination_msg function to control when agents stop
HIGH D7
AutoGen agent without is_termination_msg — no conversation exit condition
...ogen\python\packages\autogen-core\tests\test_workbench.py:4
Define is_termination_msg function to control when agents stop
HIGH D10
Azure AI used without ContentSafetyClient — no content moderation
...ckages\autogen-core\src\autogen_core\_component_config.py:48
Add Azure ContentSafetyClient to analyse prompts/responses for harmful content
EU AI Act Article 15OWASP LLM02
HIGH D17
No behavioral trap detection — post-execution behavioral changes not monitored. (10/10 M365 Copilot attacks succeeded)
Deploy trap defense layer on tool results
EU AI Act Article 14OWASP LLM07MITRE AML.T0051
HIGH D17
No approval integrity verification -- agent summaries for approval not cross-checked against actual actions. (Approval fatigue exploitation)
Deploy trap defense layer on tool results
EU AI Act Article 14OWASP LLM07MITRE AML.T0048
MEDIUM 65
MEDIUM D12
Hardcoded model name: 'gpt-41' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:22
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-45' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:23
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:24
Use model routing or configuration instead of hardcoded names
Show 62 more MEDIUM findings
MEDIUM D12
Hardcoded model name: 'gpt-4' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:28
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gemini-1.5-flash' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:31
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gemini-1.5-pro' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:32
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-haiku' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:36
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-sonnet' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:37
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-opus' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:38
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-haiku' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:39
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:40
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-7-sonnet' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:41
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-41' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:58
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-45' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:59
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:60
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:64
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gemini-1.5-flash' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:68
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gemini-1.5-pro' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:69
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-haiku' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:74
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-sonnet' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:75
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-opus' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:76
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-haiku' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:77
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:78
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-7-sonnet' — no routing/fallback
...ges\autogen-core\src\autogen_core\models\_model_client.py:79
Use model routing or configuration instead of hardcoded names
MEDIUM D5
No log retention policy detected
Configure log rotation and retention periods
MEDIUM D12
Agent class 'Agent' has no cost tracking
...n\python\packages\autogen-core\src\autogen_core\_agent.py:13
Track token usage and costs per agent execution
MEDIUM D12
Agent class 'BaseAgent' has no cost tracking
...hon\packages\autogen-core\src\autogen_core\_base_agent.py:60
Track token usage and costs per agent execution
MEDIUM D12
Agent class 'ClosureAgent' has no cost tracking
...\packages\autogen-core\src\autogen_core\_closure_agent.py:76
Track token usage and costs per agent execution
MEDIUM D12
Agent class 'RoutedAgent' has no cost tracking
...n\packages\autogen-core\src\autogen_core\_routed_agent.py:415
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'RoutedAgent' has no defined lifecycle states
...n\packages\autogen-core\src\autogen_core\_routed_agent.py:415
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'ToolAgent' has no cost tracking
...s\autogen-core\src\autogen_core\tool_agent\_tool_agent.py:40
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'ToolAgent' has no defined lifecycle states
...s\autogen-core\src\autogen_core\tool_agent\_tool_agent.py:40
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'LongRunningAgent' has no cost tracking
...n\python\packages\autogen-core\tests\test_cancellation.py:25
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'LongRunningAgent' has no defined lifecycle states
...n\python\packages\autogen-core\tests\test_cancellation.py:25
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'NestingLongRunningAgent' has no cost tracking
...n\python\packages\autogen-core\tests\test_cancellation.py:44
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'NestingLongRunningAgent' has no defined lifecycle states
...n\python\packages\autogen-core\tests\test_cancellation.py:44
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'CounterAgent' has no cost tracking
...n\python\packages\autogen-core\tests\test_routed_agent.py:28
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'CounterAgent' has no defined lifecycle states
...n\python\packages\autogen-core\tests\test_routed_agent.py:28
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'EventAgent' has no cost tracking
...n\python\packages\autogen-core\tests\test_routed_agent.py:130
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'EventAgent' has no defined lifecycle states
...n\python\packages\autogen-core\tests\test_routed_agent.py:130
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'RPCAgent' has no cost tracking
...n\python\packages\autogen-core\tests\test_routed_agent.py:176
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'RPCAgent' has no defined lifecycle states
...n\python\packages\autogen-core\tests\test_routed_agent.py:176
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'FailingAgent' has no cost tracking
...utogen\python\packages\autogen-core\tests\test_runtime.py:332
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'FailingAgent' has no defined lifecycle states
...utogen\python\packages\autogen-core\tests\test_runtime.py:332
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'StatefulAgent' has no cost tracking
...\autogen\python\packages\autogen-core\tests\test_state.py:7
Track token usage and costs per agent execution
MEDIUM D14
Unpinned AI dependency: autogen
...repos\autogen\python\packages\autogen-core\pyproject.toml:6
Pin version: autogen==<specific_version>
MEDIUM D14
Unpinned AI dependency: autogen
...repos\autogen\python\packages\autogen-core\pyproject.toml:9
Pin version: autogen==<specific_version>
MEDIUM D14
Unpinned AI dependency: autogen
...repos\autogen\python\packages\autogen-core\pyproject.toml:31
Pin version: autogen==<specific_version>
MEDIUM D14
Unpinned AI dependency: langchain
...repos\autogen\python\packages\autogen-core\pyproject.toml:35
Pin version: langchain==<specific_version>
MEDIUM D14
Unpinned AI dependency: openai
...repos\autogen\python\packages\autogen-core\pyproject.toml:35
Pin version: openai==<specific_version>
MEDIUM D14
Unpinned AI dependency: llama-index
...repos\autogen\python\packages\autogen-core\pyproject.toml:37
Pin version: llama-index==<specific_version>
MEDIUM D14
Unpinned AI dependency: openai
...repos\autogen\python\packages\autogen-core\pyproject.toml:37
Pin version: openai==<specific_version>
MEDIUM D14
Unpinned AI dependency: llama-index
...repos\autogen\python\packages\autogen-core\pyproject.toml:38
Pin version: llama-index==<specific_version>
MEDIUM D14
Unpinned AI dependency: openai
...repos\autogen\python\packages\autogen-core\pyproject.toml:38
Pin version: openai==<specific_version>
MEDIUM D14
Unpinned AI dependency: llama-index
...repos\autogen\python\packages\autogen-core\pyproject.toml:39
Pin version: llama-index==<specific_version>
MEDIUM D14
Unpinned AI dependency: llama-index
...repos\autogen\python\packages\autogen-core\pyproject.toml:40
Pin version: llama-index==<specific_version>
MEDIUM D14
Unpinned AI dependency: llama-index
...repos\autogen\python\packages\autogen-core\pyproject.toml:41
Pin version: llama-index==<specific_version>
MEDIUM D14
Unpinned AI dependency: llama-index
...repos\autogen\python\packages\autogen-core\pyproject.toml:42
Pin version: llama-index==<specific_version>
MEDIUM D14
Unpinned AI dependency: autogen
...repos\autogen\python\packages\autogen-core\pyproject.toml:65
Pin version: autogen==<specific_version>
MEDIUM D14
Unpinned AI dependency: autogen
...repos\autogen\python\packages\autogen-core\pyproject.toml:71
Pin version: autogen==<specific_version>
MEDIUM D14
Unpinned AI dependency: autogen
...repos\autogen\python\packages\autogen-core\pyproject.toml:86
Pin version: autogen==<specific_version>
MEDIUM D17
No adversarial testing evidence — no red team, no prompt injection tests
Implement adversarial testing for agent systems
MEDIUM D17
No tool-call attack simulation — agent tool calls not tested against adversarial inputs
Implement adversarial testing for agent systems
MEDIUM D17
No multi-agent chaos engineering — agent swarms not stress tested
Implement adversarial testing for agent systems
MEDIUM D17
No before/after governance comparison — no A/B testing of governance effectiveness
Implement adversarial testing for agent systems
💡 Recommendationsordered by score impact
#1
Establish a live tool inventory +21 pts
No tool catalog detected. Without a centralized inventory of MCP tools and their schemas, governance policies have nothing to enforce against. Deploy a tool registry with auto-discovery.
⚠ The Workaround Tax
Stop paying the Workaround Tax. Relying on prompt-filters and out-of-band monitoring forces your developers to write manual security logic scattered across every agent and service. A centralized gateway enforces policy automatically — at the interception layer, on every tool call, without code changes in your agents.
Current state
6/ 100
✗ UNGOVERNED
D1 Tool Inventory
4/25
D2 Risk Detection
0/20
D9 Threat Detection
0/20
D3 Policy Coverage
2/20
D4 Credential Management
3/20
+ SharkRouter (full deployment)
91/ 100
✓ GOVERNED
D1 Tool Inventory
23 +19
D2 Risk Detection
18 +18
D9 Threat Detection
18 +18
D3 Policy Coverage
18 +16
D4 Credential Management
18 +15
* Projection based on SharkRouter's estimated score. Actual results may vary.  sharkrouter.ai → 6 → 91 · +85 pts
#2
Deploy risk classification for tool calls +20 pts
No risk scoring on tool invocations. Every tool call carries the same implicit trust level. Classify tools by risk (destructive, financial, exfiltration) and enforce approval gates for high-risk categories. (3 findings in this dimension)
#3
Deploy behavioral detection and kill switch +20 pts
No behavioral baselines, no anomaly detection, no auto-suspend capability. A compromised agent can operate indefinitely. Salami slicing across sessions is undetectable. (3 findings in this dimension)
#4
Implement policy enforcement on tool calls +18 pts
No deny/allow/audit policies detected. Agents can invoke any tool without restriction. Deploy an inline policy engine with deny-by-default for destructive and financial tools.
#5
Move credentials to a secrets manager +17 pts
API keys or credentials found in source code. Move to HashiCorp Vault, AWS Secrets Manager, or environment-level secret stores. Rotate all exposed keys immediately. Add .env to .gitignore.
Generated by Warden v1.6.0 · Open Source · MIT License · github.com/sharkrouter/warden
Scoring model v4.3 · 17 weighted dimensions · 235 pts · methodology in SCORING.md
Scan data stays on your machine. Email delivery is opt-in only.
When opted in: score + metadata only. Never: keys, logs, paths, or PII.
Privacy policy · To enforce policies on what Warden found → Explore what 91/100 looks like →