Agent Memory Guard: Security middleware for LlamaIndex memory/state (OWASP project)

[vgudur-dev]

What I built

Agent Memory Guard — an open-source Python middleware that screens memory reads/writes in AI agent systems for injection attacks, data poisoning, and exfiltration.

Why LlamaIndex users should care

If you use LlamaIndex with persistent memory (chat stores, vector stores for agent context, or the Context workflow pattern), your agents are vulnerable to memory poisoning — classified as OWASP ASI-06.

Attack scenario:

1. Attacker crafts input with an encoded injection payload
2. Your agent stores it in memory (chat history, vector store, Context object)
3. On next retrieval, the poisoned memory enters the agent's context window
4. Agent follows attacker's instructions instead of the user's

Integration with LlamaIndex

pip install agent-memory-guard

from llama_index.core.workflow import Context, Workflow, step, StartEvent, StopEvent
from agent_memory_guard import MemoryGuard

guard = MemoryGuard()

class SecureWorkflow(Workflow):
    @step
    async def process(self, ctx: Context, ev: StartEvent) -> StopEvent:
        user_input = ev.input
        
        # Screen before storing to context
        scan = guard.scan(user_input)
        if not scan.is_safe:
            return StopEvent(result=f"Blocked: {scan.threat_type}")
        
        # Safe to store in persistent state
        await ctx.set("last_input", user_input)
        # ... continue workflow
        return StopEvent(result="Processed safely")

Key features

• 5 detection layers: heuristic patterns, embedding similarity, entropy analysis, encoding detection, LLM-as-judge
• 59μs median latency — adds no noticeable overhead to your pipeline
• Framework agnostic — works with LlamaIndex, LangChain, CrewAI, AutoGen
• OWASP incubator project — actively maintained

Links

• GitHub: https://github.com/OWASP/www-project-agent-memory-guard
• PyPI: https://pypi.org/project/agent-memory-guard/
• OWASP page: https://owasp.org/www-project-agent-memory-guard/

Would love feedback from the LlamaIndex community. Especially interested in the best integration points — should this be a callback handler, a custom retriever wrapper, or a workflow step?