剣 KENSAI
Based on Tsinghua University Research · 2025

AI Agent Security Scanner

Scan autonomous AI agents for 5 critical vulnerability classes identified by Tsinghua University research. Get CVSS scores, CWE mappings, and NIS2 / EU AI Act compliance gaps in under 60 seconds.

5
Vulnerability Classes
9.1
Highest CVSS Score
NIS2 + EU AI Act
Compliance Mapped
<60s
Scan Time

5 Vulnerability Classes

Identified by Tsinghua University / Ant Group in their landmark 2025 paper on autonomous LLM agent frameworks.

Skill / Plugin Poisoning

Tsinghua §3.1
CVSS 8.1 · HIGH

Malicious or misconfigured plugins are loaded without integrity verification, allowing attackers to inject code into agent skill chains. Unverified third-party skills execute in the agent's privilege context.

CWE-494CWE-829CWE-346
NIS2 Art.21.2.eNIS2 Art.21.2.gEU AI Art.9EU AI Art.15

Indirect Prompt Injection

Tsinghua §3.2
CVSS 8.6 · HIGH

Attacker-controlled content in documents, web pages, or API responses hijacks agent instructions at runtime. The agent follows injected commands believing they are legitimate user instructions.

CWE-20CWE-74CWE-116
NIS2 Art.21.2.eNIS2 Art.21.2.dEU AI Art.9EU AI Art.13EU AI Art.15

Memory Poisoning

Tsinghua §3.3
CVSS 7.5 · HIGH

Untrusted input persistently corrupts the agent's long-term memory store. Poisoned memories influence all future decisions, causing the agent to behave maliciously across sessions without further attacker interaction.

CWE-915CWE-501CWE-472
NIS2 Art.21.2.eNIS2 Art.21.2.hEU AI Art.9EU AI Art.12EU AI Art.15

Intent Drift (Privilege Escalation)

Tsinghua §3.4
CVSS 9 · CRITICAL

The agent gradually escalates from benign actions to privileged operations through multi-step reasoning drift. No single step appears malicious, making detection with per-action rules impossible.

CWE-269CWE-284CWE-862
NIS2 Art.21.2.cNIS2 Art.21.2.eEU AI Art.9EU AI Art.14EU AI Art.15

Stealth Command Execution

Tsinghua §3.5
CVSS 9.1 · CRITICAL

Attackers use encoding tricks, Unicode homoglyphs, and command decomposition to bypass safety filters. The agent executes shell commands that content moderation never flags as dangerous.

CWE-78CWE-116CWE-693
NIS2 Art.21.2.eNIS2 Art.21.2.gEU AI Art.9EU AI Art.15

Ready to scan your agent?

Point KENSAI at any LangChain, AutoGPT, OpenClaw, or custom LLM agent and get a full vulnerability report in under 60 seconds.

Start Free Scan

How It Works

Three steps from zero to a full AI agent security assessment.

01

Point at your agent

Provide a GitHub repo URL, filesystem path, or OpenClaw workspace. KENSAI auto-detects the agent framework (LangChain, AutoGPT, OpenClaw, custom) and resolves plugins, memory configs, and tool manifests.

02

Scan for all 5 classes

The scanner runs 5 specialised checks in parallel — each targeting a distinct Tsinghua vulnerability class. Static analysis, pattern matching, config auditing, and simulation-based checks run in under 60 seconds.

03

Get a compliance-mapped report

Receive a detailed KENSAI report with CVSS scores, evidence snippets, step-by-step remediation, and automatic NIS2 / EU AI Act compliance mapping — ready to send to your security team or auditor.

Compliance Mapping

Every vulnerability finding is automatically mapped to NIS2 and EU AI Act obligations — so you know exactly which regulatory articles are at risk.

NIS2
Art.21.2.e

Supply Chain Security

Mandatory security in network and information systems — covers agent plugin/skill supply chains.

Skill/Plugin PoisoningStealth Command Execution
NIS2
Art.21.2.d

Security During Procurement

Controls on acquisition and development of AI systems, including input validation for external content.

Indirect Prompt Injection
NIS2
Art.21.2.c

Access Control & Privilege Management

Prevention of unauthorized privilege escalation in critical digital infrastructure.

Intent Drift
EU AI Act
Art.9

Risk Management System

High-risk AI systems must maintain an ongoing risk management system covering all five agent vulnerability classes.

All 5 Vulnerability Classes
EU AI Act
Art.14

Human Oversight

AI systems must be monitorable and stoppable; Intent Drift directly defeats human oversight mechanisms.

Intent Drift
EU AI Act
Art.15

Accuracy & Robustness

Resilience against adversarial manipulation — directly applicable to prompt injection and memory attacks.

Indirect Prompt InjectionMemory Poisoning

NIS2 Deadline Passed — October 2024

EU member states were required to transpose NIS2 into national law by October 17, 2024. AI agent deployments that handle critical infrastructure or important entity data may now face Article 21 obligations. KENSAI maps each agent finding to specific NIS2 articles automatically.

Supported Agent Frameworks

KENSAI auto-detects your framework and applies the appropriate checks.

LangChainAutoGPTOpenClawLangGraphCrewAIAutoGenSemantic KernelCustom AgentOpenAI Assistants

Start scanning your AI agents today

Free scan covers all 5 vulnerability classes. No signup required for the first scan. CVSS scores and compliance mapping included.

No installation requiredResults in under 60 secondsNIS2 + EU AI Act mapped