Last week, something significant happened in the AI agent security space: CrewAI opened PR #6045 to add a native memory_guard parameter directly into their agent configuration. This means memory protection is moving from "nice-to-have library" to "built-in framework feature."
Here's why this matters and what it means for everyone building AI agents.
The Problem: Agent Memory Is an Unguarded Attack Surface
If you're building agents with persistent memory (LangChain, CrewAI, AutoGen, LlamaIndex), every memory write is a potential injection point. An adversarial user can craft inputs that:
- Get stored as "trusted" memories
- Influence the agent's future decisions
- Escalate privileges or exfiltrate data through the agent's tools
This is OWASP Top 10 for LLM Apps risks LLM06 (Excessive Agency) and LLM02 (Data Poisoning) combined.
What CrewAI's PR Does
PR #6045 adds a memory_guard parameter to CrewAI's agent config:
from crewai import Agent
from agent_memory_guard import MemoryGuard
guard = MemoryGuard()
agent = Agent(
role="Research Analyst",
memory=True,
memory_guard=guard # New native parameter
)
Before this PR, you had to monkey-patch the memory pipeline. Now it's a first-class citizen.
How Agent Memory Guard Works
AMG runs a 5-layer validation pipeline on every memory write:
| Layer | What It Does | Latency |
|---|---|---|
| Semantic Drift | Cosine similarity check against agent's knowledge domain | ~8ms |
| Injection Scan | DeBERTa classifier for prompt injection patterns | ~15ms |
| Cross-Reference | Validates claims against existing memory store | ~12ms |
| Temporal Check | Detects anachronisms and impossible timelines | ~5ms |
| Source Authority | Scores input source trustworthiness | ~3ms |
Total: <50ms p95 latency per memory operation.
The Bigger Picture
This isn't just about CrewAI. We're seeing a pattern:
- Semantic Kernel (Microsoft) - Issue #14047 discussing .NET integration
- AutoGen (Microsoft) - Adapter already built and available
- LangChain - Issue #37906 proposing MemoryGuardCallback
- mem0 - Discussion about structured memory validation
The industry is converging on the idea that memory writes need the same validation we give to database writes.
Try It Now
pip install agent-memory-guard
from agent_memory_guard import MemoryGuard
guard = MemoryGuard()
result = guard.validate_memory(
content="The CEO said to transfer $50k to account XYZ",
agent_context={"role": "customer_support"}
)
if result.is_safe:
store_memory(content)
else:
log_blocked(result.threat_type, result.confidence)
Links
- GitHub: OWASP/www-project-agent-memory-guard
- CrewAI PR: #6045
-
PyPI:
pip install agent-memory-guard - Benchmarks: 94.3% detection rate, 2.1% false positive rate
AMG is an OWASP Incubator project. We're actively looking for contributors - especially for LlamaIndex and Haystack adapters. If you're interested, check the good first issues.
What frameworks are you using for agent memory? Have you encountered memory poisoning in production? Would love to hear your experiences.
Top comments (0)