OWASP Top 10 Applied to AI Agent Systems

Prompt Injection: The New SQL Injection

Prompt injection attacks manipulate Claude's behavior by injecting malicious instructions into user-controlled input. Unlike SQL injection, the 'syntax' is natural language, making detection harder. An attacker can override your system prompt, extract training data references, or trigger unintended model behaviors.

Mitigation: Never concatenate user input directly into prompts. Use Claude's native system vs. user message separation, validate input length, and implement output filtering. Consider using function calling exclusively for sensitive operations—Claude respects tool boundaries better than free-form text constraints.

// Bad: vulnerable to injection
const response = await client.messages.create({
  model: 'claude-3-5-sonnet-20241022',
  max_tokens: 1024,
  messages: [{
    role: 'user',
    content: `Analyze: ${userInput}` // Attacker controls this
  }]
});

// Good: structured, bounded
const response = await client.messages.create({
  model: 'claude-3-5-sonnet-20241022',
  max_tokens: 1024,
  system: 'You are a data analyst. Only use provided tools.',
  messages: [{
    role: 'user',
    content: userInput.slice(0, 500) // Bounded input
  }],
  tools: [{ name: 'analyze_data', ... }] // Constrained outputs
});

Sensitive Data Exposure in Agent Memory

AI agents maintain conversation history and retrieved context. If stored in Supabase without encryption, API keys, user PII, or proprietary data can leak. Claude itself doesn't 'remember' between API calls—your backend does. That's your attack surface.

Encrypt sensitive fields at rest using Supabase's pgcrypto or application-level encryption. Log what the agent sees; use row-level security (RLS) policies. Never log full API responses containing credentials. Implement automatic redaction of PII before storing conversation context.

Model Denial of Service & Token Exhaustion

Attackers can craft inputs designed to maximize token consumption, draining your API budget or causing timeouts. Agents with web search or document retrieval can be manipulated into processing enormous contexts.

Set hard limits: max_tokens parameter capped in code (not configurable), rate limiting per user, and input size checks before calling Claude. Monitor token spend via Anthropic's dashboard. Use Claude's caching feature for repetitive contexts to reduce costs and improve latency.

Broken Access Control in Agent Tooling

Agents call external tools (databases, APIs, file systems). If the agent runs with over-privileged credentials or tools lack caller authentication, an attacker can leverage the agent to access restricted resources.

Principle of least privilege: each agent should connect to resources with minimal scopes. Use separate Supabase service roles, API keys, or database users for different agent workflows. Validate that the end user requesting an action has authorization before the agent executes the tool. Audit tool calls server-side, not just client-side.

Insecure Deserialization & Code Injection via Model Output

If you parse Claude's output as code (eval, JSON.parse without validation, or direct template rendering), malicious or confused model outputs can execute arbitrary code or SQL.

Always validate model output structure before use. Parse JSON with strict schemas (zod, ajv). For code generation, use sandboxed runtimes or static analysis. Never eval() model output. Treat Claude's responses as untrusted user input—because in the attack model, an attacker controls the prompt.

Using Components & Reference Implementations

The Pantheon repository (github.com/lewisallena17/pantheon) provides production-ready patterns for secure AI agent architectures on Next.js and Supabase. It demonstrates safe prompt templating, tool integration guardrails, memory encryption, and audit logging—all aligned with OWASP principles for AI systems.

Fork Pantheon as your starter kit. It handles the boilerplate of secure agent scaffolding so you can focus on your business logic without reinventing security controls.

Open-source implementation

Everything in this article runs in pantheon — a production-ready Next.js + Supabase + Claude starter. Clone it, deploy to Vercel, run PM2. The dashboard auto-commits every agent edit and reverts itself if TypeScript breaks.