HELM AI Kernel
OWASP Agentic Top 10 Mapping
Open-source execution kernel, CLI, MCP, conformance, verification, and compatibility.Audience
Security reviewers checking which OWASP Agentic AI Top 10 risks are covered by current HELM AI Kernel evidence.
Outcome
After this page you should know what this surface is for, which source files own the behavior, which public route or adjacent page to use next, and which validation command to run before changing the claim.
Source Truth
- Public route:
helm-ai-kernel/security/owasp-agentic-top10-mapping - Source document:
helm-ai-kernel/docs/security/owasp-agentic-top10-coverage.md - Public manifest:
helm-ai-kernel/docs/public-docs.manifest.json - Source inventory:
helm-ai-kernel/docs/source-inventory.manifest.json - Validation:
make docs-coverage,make docs-truth, andnpm run coverage:inventoryfromdocs-platform
Do not expand this page with unsupported product, SDK, deployment, compliance, or integration claims unless the inventory manifest points to code, schemas, tests, examples, or an owner doc that proves the claim.
Troubleshooting
| Symptom | First check |
|---|---|
| Published output is stale or incomplete | Run npm run helm-public:accuracy in docs-platform, then check the source path and public manifest row for this page. |
| A claim needs implementation backing | Check the Source Truth files above and update the implementation, manifest, source inventory, or page in the same change. |
Diagram
This scheme maps the main sections of OWASP Agentic Top 10 Mapping in reading order.
flowchart TD
subgraph Ingestion["1. Ingestion & Context Plane"]
Page["OWASP Agentic Top 10 Mapping"]
A["Source truth"]
C["Validation"]
end
subgraph Execution["3. Execution & Verdict Plane"]
B["Reader action"]
end
%% Operational Flow Edges
Page --> A
A --> B
B --> C
%% Premium Styling Rules
style B fill:#3182ce,stroke:#2b6cb0,stroke-width:2px,color:#fffMermaid source
flowchart TD
subgraph Ingestion["1. Ingestion & Context Plane"]
Page["OWASP Agentic Top 10 Mapping"]
A["Source truth"]
C["Validation"]
end
subgraph Execution["3. Execution & Verdict Plane"]
B["Reader action"]
end
%% Operational Flow Edges
Page --> A
A --> B
B --> C
%% Premium Styling Rules
style B fill:#3182ce,stroke:#2b6cb0,stroke-width:2px,color:#fffThis file is a code-oriented inventory of retained control points in the OSS kernel.
| OWASP Category | Repository Control Points |
|---|---|
| ASI-01 Prompt Injection | core/pkg/threatscan/, guarded execution boundary |
| ASI-02 Tool Poisoning | contract validation, firewall, connector validation |
| ASI-03 Excessive Permission | policy and effect-boundary packages |
| ASI-04 Insufficient Validation | guardian, manifest, schema, and policy packages |
| ASI-05 Improper Output Handling | evidence, receipts, and verification flow |
| ASI-06 Resource Overuse | budget and execution-control packages |
| ASI-07 Cascading Effects | proof graph and effect tracking |
| ASI-08 Sensitive Data Exposure | firewall, policy, and receipt material |
| ASI-09 Insecure Tool Integration | MCP, connector, and schema surfaces |
| ASI-10 Insufficient Monitoring | evidence export, proof graph, and verification commands |
Use this page as an implementation map. Validation still depends on the code, tests, and verification commands in the repository.
Coverage Discipline
OWASP Agentic Top 10 coverage must stay evidence-backed. For each risk, name the HELM AI Kernel control, the code or schema that implements it, the public example or fixture that exercises it, and the residual risk that remains outside the OSS boundary. Do not imply that policy evaluation replaces app authorization, secrets management, sandboxing, or network egress controls. The strongest public page shows both prevention and observability: how a risky action is blocked, how the receipt records it, how the verifier checks it, and what an operator should inspect when the action is allowed under policy.
Link every mitigation to a concrete evidence artifact so evaluators can check the claim without reading unrelated implementation internals.