Agent Memory Guard: Protect Haystack agent memory from poisoning attacks (OWASP)

[vgudur-dev]

What I built

Agent Memory Guard — an open-source Python middleware that screens memory reads/writes in AI agent systems for injection attacks, data poisoning, and exfiltration.

Why Haystack users should care

If you use Haystack's ConversationMemory, ChatMessageWriter, or any pipeline with persistent state, your agents are vulnerable to memory poisoning — classified as OWASP ASI-06.

Attack scenario:

1. Attacker crafts input with an encoded injection payload
2. Your Haystack pipeline stores it in the document store or conversation memory
3. On next retrieval, the poisoned memory enters the LLM's context window
4. Agent follows attacker's instructions instead of the user's

Integration with Haystack

pip install agent-memory-guard

from haystack.components.writers import DocumentWriter
from haystack.document_stores.in_memory import InMemoryDocumentStore
from agent_memory_guard import MemoryGuard

guard = MemoryGuard()

# Screen documents before writing to store
def secure_write(documents):
    safe_docs = []
    for doc in documents:
        scan = guard.scan(doc.content)
        if scan.is_safe:
            safe_docs.append(doc)
        else:
            print(f"Blocked poisoned doc: {scan.threat_type}")
    return safe_docs

# Screen retrieved documents before passing to LLM
def secure_retrieve(documents):
    return [doc for doc in documents if guard.scan(doc.content).is_safe]

Key features

• 5 detection layers: heuristic patterns, embedding similarity, entropy analysis, encoding detection, LLM-as-judge
• 59μs median latency — adds no noticeable overhead
• Framework agnostic — works with Haystack, LangChain, LlamaIndex, CrewAI, AutoGen
• OWASP incubator project — actively maintained

Links

• GitHub: https://github.com/OWASP/www-project-agent-memory-guard
• PyPI: https://pypi.org/project/agent-memory-guard/
• OWASP page: https://owasp.org/www-project-agent-memory-guard/

Would love feedback from the Haystack community — especially on the best integration points (custom component? pipeline hook?).