Python: [Feature Request] Memory Poisoning Protection for Semantic Kernel via OWASP Agent Memory Guard

[vgudur-dev]

Problem

Semantic Kernel agents with persistent memory (ChatHistory, VolatileMemoryStore, or custom stores) are vulnerable to memory poisoning attacks. Adversarial inputs stored in memory can cause agents to leak secrets, ignore instructions, or produce corrupted outputs. OWASP identifies this as a top risk for LLM applications.

Proposed Solution

OWASP Agent Memory Guard (AMG) is an open-source Python library that wraps any memory store as a transparent security layer:

• pip install agent-memory-guard
• Scans every memory write for prompt injection, PII leakage, and tampering
• 92.5% detection rate on AgentThreatBench
• <5ms latency per scan

Links

• GitHub: https://github.com/OWASP/www-project-agent-memory-guard
• PyPI: https://pypi.org/project/agent-memory-guard/
• Benchmark: https://pypi.org/project/agent-threat-bench/

Would the Semantic Kernel team consider integrating AMG as a security layer for agent memory? Happy to contribute a PR.

[vgudur-dev]

Update: Help Net Security published a feature article on OWASP Agent Memory Guard today, covering the technical approach and roadmap: https://www.helpnetsecurity.com/2026/06/01/owasp-agent-memory-guard/

Note: This issue consolidates several related requests I filed (#14010, #14006, #14011, #14025). Happy to close the duplicates if the team prefers to track this in one place. Would love to contribute a PR for a GuardedMemoryStore wrapper if there's interest.

[norika1207-lab]

One practical way to make this easier to evaluate is to turn the report into a small contract test around the runtime boundary, not only the user-facing symptom.

For Memory Poisoning Protection via OWASP Agent Memory Guard, I would check three things: first, the failing input is preserved as a minimal fixture; second, the SDK emits the same observable event/result shape before and after the fix except for the intended change; third, the trace or serialized session contains enough metadata to explain what happened after a resume or retry.

The part that matters for agent systems is durability: if a tool call, memory write, handoff, or structured-output step fails, downstream code should not have to infer state from natural-language output. A focused regression test around that boundary would make the issue much easier to close with confidence.

[vgudur-dev]

@norika1207-lab — Great suggestion on contract tests around the runtime boundary. You're right that durability is the key property for agent memory systems.

We've actually built something close to what you're describing in the agent-threat-bench package (https://pypi.org/project/agent-threat-bench/). It provides:

1. Minimal fixtures — 50+ curated injection payloads that represent real attack patterns (not synthetic noise)
2. Observable event shape — Each scan returns a structured ScanResult with risk_level, detection_details, and confidence that can be asserted against deterministically
3. Metadata for replay — The scan result includes enough context (which detectors fired, entropy scores, pattern matches) to explain why content was flagged

For a Semantic Kernel integration specifically, the contract test would look like:

from agent_memory_guard import scan_text
from agent_threat_bench import load_payloads

def test_memory_guard_catches_injections():
    payloads = load_payloads(category="prompt_injection")
    for payload in payloads:
        result = scan_text(payload.content)
        assert result.risk_level in ("high", "critical"), f"Missed: {payload.id}"
        assert "detection_details" in result.__dict__

Would you be interested in collaborating on a GuardedMemoryStore wrapper PR? The integration point would be MemoryStoreBase.upsert() — we intercept before persistence and emit structured events that SK's telemetry can capture.