Security advisories (DRAKO-ABSS)

Drako ships with 25 security advisories in the DRAKO-ABSS format — Agent Behavioral Security Standard. Advisories describe vulnerabilities that emerge from how agents are configured and behave, not just from bugs in code.

What DRAKO-ABSS is

CVE tracks software vulnerabilities. DRAKO-ABSS tracks agent behavioral vulnerabilities — problems that emerge from how an agent uses its tools, processes untrusted input, or interacts with other agents. These risks live in configuration and behavior, not necessarily in a single exploitable line of code. Each advisory includes:

Affected frameworks and exploitable conditions
IOC patterns with normalized SHA-256 hashes for runtime matching
Taint path: source → via → sink
References to OWASP, MITRE ATLAS, and CVEs
Mapping to Drako scan rules that detect the pattern
Remediation guidance with effort estimates

DRAKO-ABSS advisories are published under CC-BY-4.0. To contribute a new advisory, submit a YAML file following the schema to the Drako repository.

Coverage

OWASP Top 10 for LLMs

All 10 categories from the OWASP Top 10 for LLM Applications 2025 — LLM01 (Prompt Injection) through LLM10 (Unbounded Consumption).

MITRE ATLAS

Adversarial ML tactics and techniques including AML.T0051 (Prompt Injection), AML.T0054 (LLM Jailbreak), AML.T0040 (Model Extraction), AML.T0020 (Training Data Poisoning).

Framework CVEs

Real CVEs and documented vulnerabilities in CrewAI, LangChain (CVE-2023-36258, CVE-2023-29374, CVE-2023-36189), and AutoGen.

Prompt injection patterns

Documented injection attack patterns: DAN jailbreaks, system prompt extraction, indirect injection via external data, multi-turn context manipulation.

How advisories appear in scan output

Advisories are linked inline to the relevant scan finding:

SEC-007  Prompt injection vulnerability       (agents/researcher.py)
         Related: DRAKO-ABSS-2026-001 — Prompt Injection via Direct and Indirect Instruction Override
         Ref: OWASP LLM01:2025, MITRE AML.T0051

Each advisory is matched to findings via the drako_rules field in its YAML — when a finding’s rule ID appears in that list, the advisory surfaces in output.

ABSS format

Each advisory is a YAML file with the following schema:

id: DRAKO-ABSS-2026-001          # Unique advisory ID (year-sequential)
title: "Short descriptive title"
category: owasp-llm               # owasp-llm | mitre-atlas | framework-cve | prompt-injection
severity: 9                       # 1–10 (10 = most severe)
confidence: 0.95                  # 0.0–1.0 match confidence

affected:
  frameworks: [crewai, langchain] # Affected AI agent frameworks
  conditions:                     # Conditions that make the vulnerability exploitable
    - "Condition description"

ioc:
  type: PROMPT_INJECTION          # IOC category
  patterns:                       # Detectable patterns (strings, regexes)
    - "pattern string"
  pattern_hashes:                 # SHA-256 of normalized patterns (lowercase, stripped)
    - "hex_hash_string"

taint_path:
  source: "user_input"            # Where the attack originates
  sink: "system_prompt_disclosure" # What gets compromised
  via: ["step1", "step2"]         # Attack chain steps

references:
  - type: owasp                   # owasp | mitre_atlas | cve | research | github_issue
    id: "LLM01:2025"
    url: "https://..."

mitigation:
  drako_rules: [SEC-007, SEC-008] # Drako scan rules that detect this
  description: "How to remediate"
  remediation_effort: low         # low | moderate | significant

metadata:
  published: "2026-03-20"
  updated: "2026-03-20"
  author: "Drako Security Research"

IOC types

DRAKO-ABSS defines six AI-native Indicator of Compromise (IOC) types for runtime matching:

IOC type	Description
`PROMPT_INJECTION`	Patterns that attempt to override agent instructions or system prompts
`JAILBREAK`	Patterns designed to remove or bypass model safety constraints
`INDIRECT_INJECTION`	Adversarial instructions embedded in external content retrieved by tools
`CONTEXT_MANIPULATION`	Patterns that exploit multi-turn conversation history to drift agent behavior
`TOOL_ABUSE`	Patterns that manipulate agents into invoking tools with dangerous arguments
`DATA_POISONING`	Patterns that introduce malicious content into training or knowledge stores
`OUTPUT_INJECTION`	Malicious content in LLM output targeting downstream rendering or execution
`SUPPLY_CHAIN`	Indicators of compromised dependencies, plugins, or model artifacts
`RESOURCE_EXHAUSTION`	Inputs designed to consume unbounded compute, tokens, or cost
`API_ABUSE`	Systematic query patterns targeting model extraction or inference abuse
`TOOL_INJECTION`	Adversarial payloads embedded in tool return values
`DELEGATION_ABUSE`	Patterns that exploit agent delegation to escalate privileges
`EXCESSIVE_AGENCY`	Configurations granting agents unrestricted autonomous execution
`DATA_LEAKAGE`	Patterns that trigger accidental exposure of credentials or sensitive data
`ADVERSARIAL_INPUT`	Unicode and encoding exploits that evade content filters
`CODE_EXECUTION`	Patterns that trigger arbitrary code execution via deserialization or injection
`SQL_INJECTION`	Patterns that exploit natural-language-to-SQL conversion
`OVERRELIANCE`	Configurations where LLM output is used without verification
`INSECURE_PLUGIN`	Plugin or tool designs enabling arbitrary execution

Advisory catalogue

OWASP LLM (001–010)
MITRE ATLAS (011–015)
Framework CVEs (016–020)
Prompt injection (021–025)

These advisories map to all 10 categories of the OWASP Top 10 for LLM Applications 2025.

DRAKO-ABSS-2026-001 — Prompt Injection via Direct and Indirect Instruction Override

Severity: 9/10 · Confidence: 0.95 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelUser input concatenated directly into system or agent prompts without sanitization. An attacker can override agent instructions by injecting directives into the user-controlled portion of the prompt.Taint path: user_input → agent_context → llm_completion → system_prompt_disclosureIOC type: PROMPT_INJECTIONReferences: OWASP LLM01:2025, MITRE AML.T0051, AML.T0054, ARXIV-2302.12173Drako rules: SEC-007, SEC-008, SEC-010Remediation effort: moderate

DRAKO-ABSS-2026-002 — Insecure Output Handling Enabling Downstream Code Execution

Severity: 8/10 · Confidence: 0.92 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-indexLLM output rendered in a web UI without sanitization, or passed to eval()/exec() without validation. Downstream systems that consume LLM responses as trusted data are vulnerable to script injection and code execution.Taint path: llm_output → unvalidated_rendering → downstream_systemIOC type: OUTPUT_INJECTIONReferences: OWASP LLM02:2025, MITRE AML.T0048, CWE-79, CWE-94Drako rules: SEC-006, BP-002Remediation effort: moderate

DRAKO-ABSS-2026-003 — Training Data Poisoning via Unvalidated Fine-Tuning Pipelines

Severity: 7/10 · Confidence: 0.88 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelFine-tuning datasets include user-generated or web-scraped content without validation. RAG knowledge bases populated from unmoderated sources introduce adversarial samples that shift model behavior.Taint path: external_training_data → data_ingestion_pipeline → fine_tuning_job → model_weightsIOC type: DATA_POISONINGReferences: OWASP LLM03:2025, MITRE AML.T0020, AML.T0019, ARXIV-2401.05566Drako rules: GOV-001, COM-003Remediation effort: significant

DRAKO-ABSS-2026-004 — Model Denial of Service via Resource Exhaustion Attacks

Severity: 7/10 · Confidence: 0.90 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelNo input length validation or token counting before LLM API calls. Agent loops lack iteration limits or timeout mechanisms. Recursive prompt patterns consume unbounded compute and cost.Taint path: user_input → token_expansion → recursive_prompt_loop → llm_api_resource_poolIOC type: RESOURCE_EXHAUSTIONReferences: OWASP LLM04:2025, MITRE AML.T0029, CWE-400, CWE-770Drako rules: MAG-001, MAG-002, GOV-007Remediation effort: low

DRAKO-ABSS-2026-005 — Supply Chain Vulnerabilities in LLM Plugin and Model Dependencies

Severity: 8/10 · Confidence: 0.91 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelModel artifacts loaded from public hubs without integrity verification. Plugin dependencies use unpinned versions. No software bill of materials exists for the agent pipeline.Taint path: external_package_registry → dependency_resolution → dynamic_import → agent_runtimeIOC type: SUPPLY_CHAINReferences: OWASP LLM05:2025, MITRE AML.T0010, CWE-829, CWE-1357Drako rules: COM-005, SEC-001Remediation effort: moderate

DRAKO-ABSS-2026-006 — Sensitive Information Disclosure via LLM Context Leakage

Severity: 9/10 · Confidence: 0.94 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAPI keys or credentials embedded in system prompts or agent configurations. PII included in LLM context without redaction. RAG retrieval surfaces confidential documents without access control filtering.Taint path: sensitive_data_store → prompt_context / rag_retrieval / agent_memory → llm_outputIOC type: DATA_LEAKAGEReferences: OWASP LLM06:2025, MITRE AML.T0024, AML.T0044, CWE-200Drako rules: SEC-001, COM-001, COM-002Remediation effort: moderate

DRAKO-ABSS-2026-007 — Insecure Plugin and Tool Design Enabling Arbitrary Code Execution

Severity: 8/10 · Confidence: 0.93 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAgent tools use exec() or eval() with LLM-generated arguments. File system access tools lack path traversal protections. Tools accept user-controlled input without schema validation.Taint path: llm_generated_arguments → tool_dispatch → unvalidated_parameter_passing → system_execution_contextIOC type: INSECURE_PLUGINReferences: OWASP LLM07:2025, MITRE AML.T0040, CWE-78, CWE-95Drako rules: SEC-003, SEC-005, SEC-006, GOV-002Remediation effort: moderate

DRAKO-ABSS-2026-008 — Excessive Agency via Unrestricted Tool Access and Autonomous Execution

Severity: 9/10 · Confidence: 0.94 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAgent has simultaneous access to filesystem, network, and code execution tools with no human-in-the-loop approval. Wildcard tool permission grants instead of explicit allowlists.Taint path: agent_autonomy_configuration → tool_orchestration → unsupervised_execution_loop → unrestricted_system_actionsIOC type: EXCESSIVE_AGENCYReferences: OWASP LLM08:2025, MITRE AML.T0048, CWE-250, CWE-269Drako rules: GOV-005, GOV-006, SEC-003, SEC-005Remediation effort: moderate

DRAKO-ABSS-2026-009 — Overreliance on LLM Output Without Verification or Fact-Checking

Severity: 5/10 · Confidence: 0.85 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAgent output used for decision-making without validation against ground truth. LLM-generated code executed without review or static analysis. No fact-checking or cross-referencing mechanism in the pipeline.Taint path: llm_generated_output → unchecked_acceptance → missing_validation_layer → business_decision_or_actionIOC type: OVERRELIANCEReferences: OWASP LLM09:2025, MITRE AML.T0048, ARXIV-2309.01219Drako rules: GOV-001, BP-001Remediation effort: low

DRAKO-ABSS-2026-010 — Unbounded Consumption via Missing Token, Cost, and Rate Controls

Severity: 7/10 · Confidence: 0.91 · Category: owasp-llmAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelNo maximum token limit configured for LLM API calls. Agent execution loops lack iteration caps or cost budgets. Multi-agent orchestrations have no aggregate cost ceiling.Taint path: agent_configuration → unmetered_api_calls → runaway_agent_loop → cloud_billing_accountIOC type: UNBOUNDED_CONSUMPTIONReferences: OWASP LLM10:2025, MITRE AML.T0029, CWE-770, CWE-799Drako rules: MAG-001, MAG-002, MAG-003, GOV-007Remediation effort: low

These advisories map to MITRE ATLAS adversarial machine learning tactics and techniques.

DRAKO-ABSS-2026-011 — LLM Prompt Injection via Adversarial Input Manipulation

Severity: 9/10 · Confidence: 0.92 · Category: mitre-atlasAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelUser-supplied input concatenated directly into LLM prompt without sanitization. No input validation or prompt boundary enforcement. Injected role markers (system:, [INST], <|im_start|>system) override intended LLM behavior.Taint path: user_input / external_data → application concatenates into prompt → injected markers override behavior → llm.generate()IOC type: PROMPT_INJECTIONReferences: MITRE AML.T0051, OWASP LLM01, Perez-2022 (ARXIV-2211.09527)Drako rules: SEC-007, SEC-008, SEC-010Remediation effort: moderate

DRAKO-ABSS-2026-012 — LLM Jailbreak via Persona Hijacking and Constraint Removal

Severity: 8/10 · Confidence: 0.88 · Category: mitre-atlasAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAgent system prompt lacks robust refusal-reinforcement instructions. No jailbreak detection layer between user input and LLM inference. Persona-override prompts (DAN, developer mode) bypass safety constraints.Taint path: user_input → crafted persona-override prompt → jailbreak detection bypass → LLM adopts adversarial persona → agent.execute()IOC type: JAILBREAKReferences: MITRE AML.T0054, Shen-2023 (ARXIV-2308.03825)Drako rules: SEC-007, SEC-010Remediation effort: moderate

DRAKO-ABSS-2026-013 — Adversarial Data Crafting via Unicode and Encoding Exploits

Severity: 7/10 · Confidence: 0.85 · Category: mitre-atlasAffected frameworks: crewai, langchain, autogen, llama-indexAgent input pipeline does not normalize Unicode before processing. Zero-width characters (U+200B–U+200F) inserted between blocked keywords evade content filters. Bidirectional override characters and homoglyph substitution reorder or disguise malicious payloads.Taint path: user_input / external_document → zero-width / homoglyph obfuscation → content filter bypass → agent.parse_input()IOC type: ADVERSARIAL_INPUTReferences: MITRE AML.T0043, Boucher-2021 (Trojan Source), Unicode TR36Drako rules: SEC-006, BP-002Remediation effort: moderate

DRAKO-ABSS-2026-014 — ML Model Inference API Abuse and Model Extraction

Severity: 6/10 · Confidence: 0.82 · Category: mitre-atlasAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAgent exposes LLM inference endpoint without per-user rate limiting. No token budget or cost ceiling per session. Systematic queries extract model behavior boundaries and approximate model weights.Taint path: external_api_client → systematic queries with controlled inputs → extracted knowledge enables model cloning → llm_inference_endpointIOC type: API_ABUSEReferences: MITRE AML.T0040, Tramer-2016 (ARXIV-1609.02943)Drako rules: GOV-007, MAG-001, ID-001Remediation effort: significant

DRAKO-ABSS-2026-015 — Data Poisoning via Unvalidated Agent Feedback Loops

Severity: 7/10 · Confidence: 0.80 · Category: mitre-atlasAffected frameworks: crewai, langchain, autogen, llama-indexAgent output is stored and later used as training data or few-shot examples without human-in-the-loop validation. RAG indexes agent-generated content without provenance tracking. Poisoned data retrieved in future queries amplifies behavioral corruption.Taint path: agent_output / llm_response → stored without provenance tracking → retrieved in future queries → training_data_store / rag_index / memory_backendIOC type: DATA_POISONINGReferences: MITRE AML.T0048, Shumailov-2023 (ARXIV-2305.17493), OWASP LLM03Drako rules: GOV-001, COM-003Remediation effort: significant

These advisories cover known CVEs and documented security vulnerabilities in specific AI agent frameworks.

DRAKO-ABSS-2026-016 — CrewAI Tool Output Injection via Unsanitized Return Values

Severity: 8/10 · Confidence: 0.90 · Category: framework-cveAffected frameworks: crewaiTool output not sanitized before agent context injection. Tools fetching external content (web scraping, API calls) may return adversarial payloads. CrewAI injects tool output directly into the agent’s LLM context window without sanitization.Taint path: external_tool_output / web_scrape_result → tool returns raw content → CrewAI injects into LLM context → llm_prompt_assemblyIOC type: TOOL_INJECTIONReferences: crewAI#1234, Greshake-2023 (ARXIV-2302.12173)Drako rules: SEC-007, SEC-008Remediation effort: moderate

DRAKO-ABSS-2026-017 — LangChain Arbitrary Code Execution via Unsafe Deserialization in LCEL

Severity: 9/10 · Confidence: 0.95 · Category: framework-cveAffected frameworks: langchainApplication loads serialized LangChain objects from untrusted sources using pickle or yaml.unsafe_load. LCEL chains constructed from user-provided configuration without validation. Deserialization triggers __reduce__ or custom constructors, executing arbitrary Python code.Taint path: serialized_chain_file / user_config_input → unsafe deserialization → __reduce__ execution → python_runtime / os.system()IOC type: CODE_EXECUTIONReferences: CVE-2023-36258, CVE-2023-29374Drako rules: SEC-005Remediation effort: moderate

DRAKO-ABSS-2026-018 — AutoGen Unrestricted Code Execution in Agent Conversations

Severity: 9/10 · Confidence: 0.93 · Category: framework-cveAffected frameworks: autogenCodeExecutorAgent or UserProxyAgent configured without Docker sandboxing (use_docker=False or unconfigured). Generated code executes with full permissions of the host process, enabling data exfiltration, persistence, and lateral movement.Taint path: llm_generated_code / agent_conversation → code executor without sandbox → local_python_interpreter / system_shellIOC type: CODE_EXECUTIONReferences: AutoGen Security Docs, OWASP LLM08Drako rules: SEC-005Remediation effort: moderate

DRAKO-ABSS-2026-019 — LangChain SQL Injection via Natural Language to SQL Conversion

Severity: 8/10 · Confidence: 0.91 · Category: framework-cveAffected frameworks: langchainSQLDatabaseChain or create_sql_query_chain used with user-controlled natural language input. Generated SQL executed directly against a production database without parameterization. Database user has excessive privileges (DDL, DML on all tables).Taint path: user_natural_language_query → LLM converts to SQL incorporating malicious fragments → SQLDatabaseChain executes without sanitization → database.execute()IOC type: SQL_INJECTIONReferences: CVE-2023-36189Drako rules: SEC-005, SEC-006Remediation effort: moderate

DRAKO-ABSS-2026-020 — CrewAI Unvalidated Agent Delegation Enables Task Hijacking

Severity: 7/10 · Confidence: 0.86 · Category: framework-cveAffected frameworks: crewaiAgent configured with allow_delegation=True (CrewAI default). No delegation policy restricting which agents can delegate to which targets. Adversarial input in Agent A triggers delegation to Agent B, which may have elevated permissions (code execution, API access).Taint path: agent_a_task_context / adversarial_input → Agent A delegates manipulated task → Agent B executes with elevated privileges → tool.run()IOC type: DELEGATION_ABUSEReferences: CrewAI Delegation Docs, OWASP LLM08Drako rules: GOV-002, MULTI-001Remediation effort: moderate

These advisories document specific, documented prompt injection attack patterns.

DRAKO-ABSS-2026-021 — DAN (Do Anything Now) Jailbreak Pattern

Severity: 8/10 · Confidence: 0.92 · Category: prompt-injectionAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelDAN-style jailbreak prompts submitted as agent input. Agent passes unfiltered message to LLM, which enters a jailbroken persona and bypasses safety alignment. No output filtering or safety classifier applied after LLM response.Taint path: user_input → DAN prompt → jailbreak detection bypass → LLM jailbroken → unrestricted_llm_outputIOC type: JAILBREAKReferences: OWASP LLM01:2025, MITRE AML.T0054, Shen-2023 (ARXIV-2308.03825)Drako rules: SEC-007, SEC-010Remediation effort: moderate

DRAKO-ABSS-2026-022 — System Prompt Extraction via Instruction Leak Techniques

Severity: 7/10 · Confidence: 0.90 · Category: prompt-injectionAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelSystem prompt contains sensitive business logic or API keys. Agent responds to meta-queries about its own configuration ("repeat the above", "show me your system prompt"). No output filtering to prevent system prompt content from appearing in responses.Taint path: user_input → meta-query about instructions → LLM includes system prompt in response → system_prompt_content_in_outputIOC type: PROMPT_LEAKReferences: OWASP LLM01:2025, MITRE AML.T0051, Prompt-Extraction-2023 (ARXIV-2311.17035)Drako rules: SEC-007, SEC-010, COM-001Remediation effort: low

DRAKO-ABSS-2026-023 — Indirect Prompt Injection via External Data Sources

Severity: 9/10 · Confidence: 0.93 · Category: prompt-injectionAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAgent retrieves content from external sources (web, documents, APIs) without sanitization. Attacker embeds injection payload in a web page, PDF, or email. Retrieved content containing injection is added to agent context and interpreted as legitimate directives.Taint path: external_data_source (web page, PDF, email) → tool retrieves malicious content → injected into agent context → agent_action_executionIOC type: INDIRECT_INJECTIONReferences: OWASP LLM01:2025, MITRE AML.T0051, Greshake-2023 (ARXIV-2302.12173)Drako rules: SEC-007, SEC-008, GOV-002Remediation effort: significant

DRAKO-ABSS-2026-024 — Multi-Turn Context Manipulation and Gradual Goal Drift

Severity: 7/10 · Confidence: 0.85 · Category: prompt-injectionAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAgent maintains conversation history across turns without periodic re-validation against the system prompt. Attacker sends benign messages to build trust, then gradually introduces deviations and references fabricated prior agreements to shift agent behavior.Taint path: user_input_across_multiple_turns → fabricated prior agreements drift behavior → agent context fills with manipulated history → agent_policy_violationIOC type: CONTEXT_MANIPULATIONReferences: OWASP LLM01:2025, MITRE AML.T0051, Multi-Turn-Attacks-2024 (ARXIV-2404.16563)Drako rules: SEC-007, GOV-001Remediation effort: moderate

DRAKO-ABSS-2026-025 — Tool-Abuse Injection via Manipulated Agent Instructions

Severity: 9/10 · Confidence: 0.94 · Category: prompt-injectionAffected frameworks: crewai, langchain, autogen, llama-index, semantic-kernelAgent has access to tools with side effects (file I/O, network, code execution) without human-in-the-loop approval or tool-level permission scoping. Attacker crafts input instructing the agent to invoke a specific tool with dangerous arguments.Taint path: user_input / indirect_injection_payload → LLM generates tool call with attacker-controlled arguments → framework dispatches without parameter validation → tool.execute() with dangerous parametersIOC type: TOOL_ABUSEReferences: OWASP LLM08:2025, LLM07:2025, MITRE AML.T0051, Tool-Use-Risks-2024 (ARXIV-2403.04893)Drako rules: SEC-005, SEC-007, GOV-005, GOV-006Remediation effort: moderate

IOC pattern hashes

Advisory IOC patterns are stored as SHA-256 hashes of normalized (lowercase, stripped) strings. This lets Drako perform runtime matching without distributing raw injection patterns:

import hashlib

def compute_pattern_hash(pattern: str) -> str:
    normalized = pattern.strip().lower()
    return hashlib.sha256(normalized.encode("utf-8")).hexdigest()

You can retrieve all IOC hashes programmatically:

from drako.advisories import get_ioc_hashes

hashes = get_ioc_hashes()  # set[str] — all hashes across all advisories

Collective intelligence

When runtime enforcement is enabled, Drako participates in collective IOC sharing across deployments:

A detection on one deployment propagates to all connected tenants in under 5 seconds
Only normalized pattern hashes are shared — never raw payloads, prompts, or user data
Sharing is anonymous and opt-in; configure via collective_intelligence.enabled in .drako.yaml
New IOC hashes are validated against the ABSS schema before distribution

Collective intelligence requires a Drako platform connection (api_key_env and endpoint in .drako.yaml). It is not available in offline-only scan mode.

Contributing an advisory

To submit a new advisory:

Fork the Drako repository.
Create a new YAML file in src/drako/data/advisories/ following the ABSS schema.
Include at least one external reference (CVE, paper, GitHub issue, or blog post).
Open a pull request with a brief description of the vulnerability.

All submitted advisories are reviewed by Drako Security Research before inclusion. Published advisories are released under CC-BY-4.0.

CLI Reference

Python SDK

Rules & Advisories

Security advisories (DRAKO-ABSS)

What DRAKO-ABSS is

Coverage

OWASP Top 10 for LLMs

MITRE ATLAS

Framework CVEs

Prompt injection patterns

How advisories appear in scan output

ABSS format

IOC types

Advisory catalogue

IOC pattern hashes

Collective intelligence

Contributing an advisory

Build docs developers (and LLMs) love

CLI Reference

Python SDK

Rules & Advisories

​What DRAKO-ABSS is

​Coverage

OWASP Top 10 for LLMs

MITRE ATLAS

Framework CVEs

Prompt injection patterns

​How advisories appear in scan output

​ABSS format

​IOC types

​Advisory catalogue

​IOC pattern hashes

​Collective intelligence

​Contributing an advisory

Build docs developers (and LLMs) love

What DRAKO-ABSS is

Coverage

How advisories appear in scan output

ABSS format

IOC types

Advisory catalogue

IOC pattern hashes

Collective intelligence

Contributing an advisory