Local LLM Agents as Vulnerable Runtimes: A Source-Code Audit of the Agent Runtime Layer

Focus: The security of LLM agent systems is evaluated almost exclusively at the model level (can the model be jailbroken?) but the agent runtime — the code that orchestrates tool use, manages context, and executes model outputs — introduces independent vulnerabilities. This audit systematically examines popular open-source agent frameworks and documents critical runtime-layer security failures.

Key Insights

• Prompt injection via tool outputs: Agent runtimes that naively concatenate tool outputs into the model’s context allow a malicious tool response (e.g., from a compromised web page or API) to inject instructions that override the original task — a runtime-level attack independent of model alignment.
• Unsafe code execution pathways: Several audited frameworks execute model-generated code without sandboxing, allowing an agent that is prompted to “write and run a test” to execute arbitrary system commands.
• Credential exposure via context leakage: API keys, database credentials, and session tokens passed to the agent in environment variables or tool configurations frequently appear in model context windows that can be exfiltrated via prompt injection.

Failure-First Relevance

AIRTBench’s autonomous red-teaming benchmark demonstrates that frontier models can already discover and exploit prompt injection vulnerabilities. This audit provides the complementary attack surface catalogue — knowing which specific runtime patterns are exploitable guides both the Failure-First red-teaming scenarios and the defensive recommendations for agentic deployment. The code execution and credential exposure findings are directly relevant to any Failure-First engagement involving agentic AI systems.