Skip to main content

Security Rules Reference

112 rules across 72 categories โ€” ๐Ÿšจ 39 critical, ๐Ÿ”ด 65 high, ๐ŸŸก 8 medium.

Action Configurationโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-1.2๐Ÿ”ด HighSchema Synchronization VerificationDetects when schema

Agent Script Safetyโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-2.3๐Ÿ”ด HighPrompt Injection Defense HeuristicsDetects when dynamic user input variables are injected into prompt templates or agent instructions without defensive boundary patterns, creating vulnerability to prompt injection attacks that can override system instructions and bypass security policies
AGENTFORCE-2.1๐ŸŸก MediumValidation Guard Clause EnforcementDetects when Agent Script invokes state-modifying actions (Apex/Flow targets) without preceding validation logic such as conditional guards or available_when clauses

MuleSoft Agent Fabricโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-AF-01๐Ÿšจ CriticalBroker PII Routing Without GuardDetects Agent Fabric brokers that route requests to agents processing PII-classified fields without PII output guards
AGENTFORCE-AF-02๐Ÿ”ด HighLLM Provider Without Rate LimitDetects LLM provider configurations in Agent Fabric that lack rate limiting controls
AGENTFORCE-AF-03๐Ÿ”ด HighA2A Card Overpermissioned ScopeDetects A2A Agent Cards that advertise sensitive capabilities (database writes, deployments, payments) without requiring strong authentication (mTLS, OAuth2)
AGENTFORCE-AF-04๐Ÿ”ด HighBroker Privilege Escalation via RoutingDetects Agent Fabric brokers with routing strategies (fallback, round-robin) that route across agents at different privilege levels
AGENTFORCE-AF-05๐ŸŸก MediumBidirectional Agent Communication Without BrokerDetects agents in the Agent Fabric that can communicate bidirectionally (Agent A calls Agent B and Agent B calls Agent A) without a mediating broker to control the conversation

Supply Chain Securityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-SC-01๐Ÿšจ CriticalMalicious API Downgrade InjectionAgentforce metadata requires sourceApiVersion 64
AGENTFORCE-SC-02๐Ÿ”ด HighSilent Schema Desync ExploitWhen a schema
AGENTFORCE-SC-03๐ŸŸก MediumManaged Package OriginDetects when AI agent actions invoke Apex classes or Flows from managed packages (third-party code)

Agent Flow Integrityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-2.2๐ŸŸก MediumTransition IntegrityEvery agent topic should either transition to another topic or define actions that perform useful work

AgentExchange Supply-Chainโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-SC-10๐Ÿšจ CriticalTool Namespace Shadowing (Confused Deputy)Detects when third-party AgentExchange plugins register tools with API names identical or similar to core Salesforce internal functions, or embed cross-origin shadowing directives in their description fields
AGENTFORCE-SC-11๐Ÿ”ด HighUnbound Gateway ActivationDetects agents active in Salesforce metadata but absent from Agent Fabric (Flex Gateway) governance policies
AGENTFORCE-SC-12๐Ÿ”ด HighTransitive Prompt PoisoningDetects meta-prompting instructions in third-party plugin instruction definitions that attempt to override core system instructions or bypass enterprise guardrails

Agentforce for Commerceโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-17.1๐Ÿšจ CriticalCommerce Agent Without Idempotency KeyDetects agent actions targeting Apex classes that make HTTP callouts to Commerce or Order Management APIs without including an Idempotency-Key header
AGENTFORCE-17.2๐Ÿšจ CriticalCommerce Agent Amount Without Bounds CheckDetects Apex invocables called by Commerce agent actions that manipulate Amount, Quantity, or Price fields without validating bounds

Agentic Architectureโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-7.1๐Ÿ”ด HighTopic Action Bloat (God-Topic Prevention)Detects Monolithic 'God Topics' configured with 5 or more actions
AGENTFORCE-7.2๐Ÿ”ด HighInadequate Skill SemanticsDetects GenAiFunctions and Agent Actions with missing or dangerously brief (<20 chars) descriptions
AGENTFORCE-7.3๐Ÿ”ด HighOrphaned Bot Without AiEvaluationDefinitionDetects deployed Bots/BotVersions that have no corresponding AiEvaluationDefinition in the repository
AGENTFORCE-8.1๐Ÿ”ด HighContext Traversal Exfiltration (ForcedLeak Mitigation)Detects Deep Object Graph Traversals in Agent Prompts

Autonomous Schedulingโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-11.1๐Ÿšจ CriticalUnguarded Autonomous Scheduled ActionDetects agent actions that invoke Scheduled Apex or Batch Apex without requiring user confirmation
AGENTFORCE-11.2๐Ÿ”ด HighTime-Window Privilege DriftDetects Scheduled Apex classes invoked by agent actions that declare 'without sharing' and perform DML

Custom Permission Enforcementโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-16.1๐Ÿ”ด HighAgent Action Without Custom Permission GateDetects agent actions targeting Apex classes that perform DML on financially-sensitive objects (Opportunity, Order, Contract, Quote) without checking CustomPermission or FeatureManagement

Data Cloud Groundingโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-13.1๐Ÿšจ CriticalRAG Knowledge Source Without Schema ClassificationDetects GenAiPromptTemplates that reference fields without SecurityClassification tags

Data Exfiltrationโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-21.1๐Ÿšจ CriticalPII/PHI Payload Leakage in Tool OutputDetects when agent actions invoke Apex classes that query Salesforce objects containing fields classified as PII, PHI, CCPA, GDPR, HIPAA, or PCI

Data Exfiltration / Injectionโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-21.2๐Ÿ”ด HighInsecure Output Handling (Agent-to-XSS)Detects Flow screens targeted by agent actions that render LLM-generated output without sanitization

Einstein Copilot Studio Configurationโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-12.1๐Ÿšจ CriticalLatent Memory Poisoning in Prompt TemplateDetects GenAiPromptTemplates that use Conversation Memory ({!Conversation
AGENTFORCE-12.2๐Ÿšจ CriticalGenAiPlannerBundle API Version DriftAPI v64

Excessive Agencyโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-1.1๐Ÿšจ CriticalMandatory User ConfirmationGenAiFunction actions that invoke Apex or Flow backend logic must require user confirmation to prevent the AI agent from autonomously executing side-effects
AGENTFORCE-20.1๐Ÿšจ CriticalDML Bypassing FLS in Invocable ActionsDetects Apex classes invoked by AI agent actions that perform DML operations (insert/update/delete/upsert/merge) without enforcing Field Level Security (FLS)
AGENTFORCE-20.2๐Ÿšจ CriticalUnconstrained ModifyAllData in Agent ContextDetects agent actions configured to run in system context (ModifyAllData equivalent), granting the LLM planner org-wide data access without user-scope constraints
SNOW-20.2๐Ÿšจ CriticalRole Masking Not Configured for Dynamic User AgentValidates that AI Agents using Dynamic User identity mode have Role Masking properly configured

External Service Securityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-15.1๐Ÿ”ด HighExternal Service Without Certificate PinningDetects Named Credentials used for external service calls that lack certificate pinning (useClientCertificate = false)
AGENTFORCE-15.2๐Ÿ”ด HighDynamic Cloaking via External RAG SourceDetects GenAiPromptTemplates that ground against external data sources not in the project's trusted grounding allowlist

Governanceโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-4.3๐Ÿ”ด HighSynthetic Evaluation CompletenessEnforces that all deployed GenAiPlannerBundles possess corresponding AiEvaluationDefinition test suites

Graph: Cascading Automationโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-32.1๐Ÿ”ด HighUnintended Autonomous Blast Radius[Enterprise] Detects when an agent-triggered DML operation on an SObject fires an ApexTrigger that dispatches async jobs (Future/Queueable) with external HTTP callouts

Graph: Component Injectionโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-34.1๐Ÿšจ CriticalAgent-to-UI XSS (Component Injection Graph)[Enterprise] Performs 4-hop graph traversal proving an LLM-generated string travels from agent output through a Flow screen variable into an LWC component that renders it via unsafe innerHTML or lwc:inner-html without sanitization

Graph: MCP Identity Mismatchโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-33.1๐Ÿ”ด HighMCP Over-Provisioning[Enterprise] Detects MCP server configurations where the authorizing Connected App has full-scope OAuth access (full/api/chatter_api) disproportionate to the MCP tool's stated narrow purpose

Graph: PII Exfiltration Pathโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-30.1๐Ÿšจ CriticalContext Window PII Poisoning (Graph)[Enterprise] Performs 4-hop graph traversal to prove regulated data (PII/PHI/GDPR/HIPAA/PCI) travels from a classified CustomField through an Apex query, agent action invocation, and into an LLM PromptTemplate context window

Graph: Privilege Escalation Pathโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-31.1๐Ÿšจ CriticalAutonomous Without-Sharing Escalation (Deep)[Enterprise] Detects 4-hop privilege escalation: a guest/Community-accessible agent topic whose action targets a System-mode Flow that invokes a without sharing Apex class

Grounding Securityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-3.1๐Ÿšจ CriticalHardcoded Sensitive IndicatorsDetects hardcoded API keys, OAuth tokens, passwords, PII patterns (SSN, credit cards), private keys, and internal URLs in prompt template text and plugin instructions
AGENTFORCE-3.2๐Ÿšจ CriticalField-Level Security Masking AlignmentDynamically verifies that custom fields referenced in Prompt Templates possess a SecurityClassification tag

Headless MCP Accessโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-MCP-01๐Ÿšจ CriticalToken Passthrough Exposure ConfigurationDetects MCP server configurations using static OAuth client IDs without PKCE enforcement, missing Device Authorization Grant patterns, or lacking Flex Gateway routing policies
AGENTFORCE-MCP-02๐Ÿšจ CriticalBroad Scope DevOps Pipeline InheritanceDetects when external coding agents (Cursor, Claude Code, Windsurf) are granted access to DevOps Center MCP deployment tools targeting production environments without explicit deterministic approval gates
AGENTFORCE-MCP-04๐Ÿšจ CriticalMCP Tool Definition Drift (Rug Pull Detection)Detects when MCP tool definitions (descriptions, parameters, schemas) have changed since the last certified scan โ€” indicating a potential Rug Pull attack where a trusted MCP server silently updates its behavior
AGENTFORCE-MCP-03๐Ÿ”ด HighMissing Protocol Scope ConstraintsDetects MCP server configurations with wildcard scopes, missing scope definitions, or high-privilege tool exposure without namespace isolation
AGENTFORCE-MCP-05๐Ÿ”ด HighShadow MCP Server DetectionDetects MCP servers configured in
AGENTFORCE-MCP-06๐Ÿ”ด HighMCP Schema Parameter InjectionDetects manipulation of JSON Schema definitions for MCP tool and GenAiFunction parameters
AGENTFORCE-MCP-07๐Ÿ”ด HighMCP Server Network ExposureDetects MCP servers configured with non-localhost bind addresses (0

Injectionโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-FLOW-03๐Ÿ”ด HighVariable Injection in DMLDynamic AI input directly evaluates inside a Flow Object Filter, risking SOQL injection

Instruction Integrityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-9.1๐Ÿšจ CriticalMetadata Instruction PoisoningDetects adversarial content patterns in metadata instruction fields (GenAiPlugin instructions, GenAiFunction descriptions, Agent Script systemInstructionOverrides, PromptTemplate content) that could manipulate the LLM planner into performing unauthorized actions
AGENTFORCE-9.2๐Ÿ”ด HighCross-Topic Instruction BoundaryDetects when a topic's instruction text references another topic's name or attempts to override the planner's topic-selection logic

MCP Authenticationโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-24.2๐Ÿ”ด HighMissing Signature Validation on Agent WebhookDetects @RestResource Apex endpoints accessible to agent actions that do not implement HMAC signature verification

Multi-Agent Orchestrationโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-18.1๐Ÿšจ CriticalCompositional Fragment Trap RiskDetects partial instruction fragments across multiple GenAiPlugins that, when combined by the GenAiPlannerBundle, may reconstitute a complete override instruction not visible in any individual topic (ref: SSRN-6372438 'Compositional Fragment Traps')
AGENTFORCE-18.2๐Ÿ”ด HighSybil Identity in Multi-Agent OrchestrationDetects duplicate Bot labels or descriptions within a project's agent orchestration
SNOW-18.2๐Ÿ”ด HighYokohama Agent Duplication SybilDetects duplicated AI Agent definitions that share tool references (sn_aia_agent_tool_m2m)

Network Securityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-API-01๐Ÿ”ด HighExternal Callout InjectionAI Input mapped directly into an external API structure risks Server Side Request Forgery (SSRF) or Data Leakage

OpenGraph Securityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-OG-01๐Ÿ”ด HighOGP Metadata Prompt InjectionDetects prompt injection patterns embedded in Open Graph Protocol metadata (og:description, og:title) on URLs referenced by agent actions, MCP tools, or prompt template data providers
AGENTFORCE-OG-03๐Ÿ”ด HighAttractive Metadata Attack via OGPDetects 'Attractive Metadata Attacks' (NeurIPS 2025) where OGP metadata on MCP server or tool endpoints contains language designed to manipulate LLM tool-selection mechanisms
AGENTFORCE-OG-02๐ŸŸก MediumA2A Agent Card / OGP Trust MismatchDetects mismatches between an agent's A2A Agent Card capabilities and its Open Graph metadata description

Operational Reliabilityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-10.1๐ŸŸก MediumValidation Rule ConflictDetects when AI agent actions target Salesforce objects that have validation rules which could silently reject DML operations

Orchestration Integrityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-4.1๐Ÿ”ด HighPlanner Orchestration CompletenessGenAiPlannerBundle must reference only GenAiPlugins and GenAiFunctions that exist in the workspace

Platform Event Securityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-19.1๐Ÿšจ CriticalSub-agent Spawning via Platform EventDetects agent actions that publish Platform Events where a Platform Event Trigger on that event type invokes another agent session or GenAiFunction
AGENTFORCE-19.2๐Ÿ”ด HighCDC Without Field Filter in Agent ContextDetects Change Data Capture triggers that deliver unfiltered field changes to agent contexts

Privilege Escalationโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-FLOW-01๐Ÿšจ CriticalSystem Context EnforcementAgent invokes a Flow running in SystemModeWithoutSharing, bypassing all profile security bounds
AGENTFORCE-1.3๐Ÿ”ด HighTarget Context Privilege AnalysisApex classes invoked by Agentforce actions must enforce sharing rules

Prompt Injectionโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-PT-01๐Ÿšจ CriticalTemplate Context PoisoningUnmasked Agent input is directly rendered into a GenAI Prompt Template content block

Resource Exhaustionโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-23.1๐Ÿ”ด HighNon-Selective SOQL in Agent Tools (Agent DoS)Detects Apex classes invoked by agent actions that contain SOQL queries without LIMIT clauses

Runtime Capability Driftโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-RD-01๐Ÿ”ด HighHeadless Confirmation Bypass (Experience Layer)Detects when high-privilege agent actions (DML, Apex deployment, permission modification, financial transactions) can be invoked through headless Headless 360 endpoints without a deterministic Agent Script transition requiring an Experience Layer approval card
AGENTFORCE-RD-03๐Ÿ”ด HighPII Output Bypass in Headless TransmissionsDetects GenAiFunction actions whose output references objects with FLS-designated sensitive fields (PII, financial data) when no Agent Fabric PII Detector policy covers the agent
AGENTFORCE-RD-04๐Ÿ”ด HighHeadless PII Route ValidationValidates that all agent output paths involving PII-sensitive fields are routed through Agent Fabric policies with both PII detection and prompt guard enforcement
AGENTFORCE-RD-02๐ŸŸก MediumVariable State Condition EvasionDetects when security-critical ConversationContextVariables (authentication status, user clearance, financial limits) are declared in the AiAuthoringBundle but never referenced in deterministic Agent Script transition conditions (-> if @variables

SSRFโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-22.1๐Ÿšจ CriticalUnsafe Autonomous HTTP CalloutsDetects Apex classes invoked by agent actions that make HTTP callouts to dynamically-constructed endpoints without Named Credential enforcement

Security Configurationโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-PT-02๐Ÿ”ด HighExperimental Template Activation ExposureDetects when a Prompt Template is configured for global Allowed access without explicit evaluation or safety constraints

ServiceNow ACLโ€‹

Rule IDSeverityNameDescription
SNOW-28.1๐Ÿšจ CriticalACL Script Using GlideRecord (Recursive Bypass)Detects GlideRecord usage in ACL scripts and agent-facing tool scripts
SNOW-28.6๐Ÿ”ด HighaddEncodedQuery Without User Context RestrictionDetects use of addEncodedQuery() in agent-facing scripts where addUserEncodedQuery() should be used

ServiceNow API Authenticationโ€‹

Rule IDSeverityNameDescription
SNOW-24.1๐Ÿ”ด HighAgent API Endpoint Without OAuth Scope ValidationDetects Scripted REST APIs and Now Assist API endpoints accessible to AI agents that lack OAuth entity scope validation

ServiceNow Agent Architectureโ€‹

Rule IDSeverityNameDescription
SNOW-7.1๐ŸŸก MediumAgent Instruction BloatDetects sn_aia_agent definitions with excessively large or poorly structured instruction fields

ServiceNow Autonomous Schedulingโ€‹

Rule IDSeverityNameDescription
SNOW-11.1๐Ÿ”ด HighScheduled Job Invoking Agent Without GuardrailDetects scheduled jobs and background scripts that invoke AI Agents without execution guardrails, risking sub-agent spawning and resource exhaustion

ServiceNow Data Exfiltrationโ€‹

Rule IDSeverityNameDescription
SNOW-21.1๐Ÿšจ CriticalAgent Script Accessing Sensitive Table Without Privacy GuardDetects agent-accessible scripts that query sensitive ServiceNow tables (sys_user, sys_user_has_role, cmdb_ci, incident, hr_case, sys_attachment) without data privacy classification guards

ServiceNow Data Privacyโ€‹

Rule IDSeverityNameDescription
SNOW-13.1๐Ÿ”ด HighAgent Accessing Classified Data Without Privacy GuardDetects agent scripts accessing tables with sys_dictionary data_privacy classifications without enforcing privacy guards

ServiceNow Domain Separationโ€‹

Rule IDSeverityNameDescription
SNOW-29.1๐Ÿ”ด HighDomain Separation Drift (Missing sys_domain)Detects GlideRecordSecure queries in agent-facing scripts that lack sys_domain constraints

ServiceNow Excessive Agencyโ€‹

Rule IDSeverityNameDescription
SNOW-20.1๐Ÿšจ CriticalAgent Executing With Admin PrivilegesDetects AI Agent configurations where the execution identity has admin role or the agent scripts use GlideRecord without Role Masking, granting unrestricted database access

ServiceNow External Serviceโ€‹

Rule IDSeverityNameDescription
SNOW-15.1๐Ÿ”ด HighIntegration Spoke Without Certificate PinningDetects IntegrationHub spoke configurations linked to AI agent flow actions that lack certificate pinning or use basic authentication

ServiceNow Flow Securityโ€‹

Rule IDSeverityNameDescription
SNOW-5.1๐Ÿ”ด HighFlow Action Without Input ValidationDetects Flow Designer actions (sys_hub_action) and subflows linked to AI agents that lack input validation or execute in system context

ServiceNow Grounding Securityโ€‹

Rule IDSeverityNameDescription
SNOW-3.1๐Ÿ”ด HighGrounding Source Without ClassificationDetects AI Search grounding sources and RAG configurations that lack data classification guards

ServiceNow Instruction Integrityโ€‹

Rule IDSeverityNameDescription
SNOW-9.1๐Ÿšจ CriticalPrompt Injection Vector in Agent InstructionsDetects prompt injection vectors in sn_aia_agent instructions, NASK skill markdown, and inbound email action scripts

ServiceNow MCP Accessโ€‹

Rule IDSeverityNameDescription
SNOW-25.1๐Ÿ”ด HighMCP Server Without Scope ConstraintsDetects MCP server configurations (echelon-ai-labs or native) accessible to ServiceNow AI Agents without protocol scope constraints or tool filtering

ServiceNow MID Server Trustโ€‹

Rule IDSeverityNameDescription
SNOW-31.1๐Ÿšจ CriticalMID Server / Discovery Trust ViolationDetects insecure MID Server integration patterns including Basic Auth usage, hardcoded credentials, missing mTLS/OAuth, and arbitrary command execution patterns

ServiceNow Memory Safetyโ€‹

Rule IDSeverityNameDescription
SNOW-12.2๐Ÿšจ CriticalLatent Memory Poisoning in Agent MemoryDetects suspicious instruction-like patterns embedded in sn_aia_memory records

ServiceNow Multi-Agentโ€‹

Rule IDSeverityNameDescription
SNOW-18.1๐Ÿ”ด HighMulti-Agent Compositional Fragment TrapDetects compositional fragment risks when multiple agents share tools or use cases (sn_aia_usecase)

ServiceNow Operational Reliabilityโ€‹

Rule IDSeverityNameDescription
SNOW-10.1๐Ÿ”ด HighAgent DML Without Data Policy GuardDetects agent-accessible scripts performing insert/update/delete operations on tables without corresponding Data Policy validation, risking data corruption

ServiceNow Resource Exhaustionโ€‹

Rule IDSeverityNameDescription
SNOW-23.1๐Ÿ”ด HighUnbounded GlideRecord Query in Agent ScriptDetects agent scripts executing GlideRecord queries without setLimit() or chooseWindow(), enabling resource exhaustion through unbounded result sets

ServiceNow Role-Based Accessโ€‹

Rule IDSeverityNameDescription
SNOW-16.1๐Ÿ”ด HighAgent Action Without Role GateDetects agent tool scripts that perform privileged operations without gs

ServiceNow Runtime Driftโ€‹

Rule IDSeverityNameDescription
SNOW-27.1๐Ÿšจ CriticalNow Assist API Confirmation BypassDetects Now Assist API integrations and headless execution paths that bypass tool confirmation requirements

ServiceNow SSRFโ€‹

Rule IDSeverityNameDescription
SNOW-22.1๐Ÿšจ CriticalSSRF via Dynamic RESTMessageV2 EndpointDetects agent scripts using sn_ws

ServiceNow Scope Hygieneโ€‹

Rule IDSeverityNameDescription
SNOW-30.1๐Ÿ”ด HighApplication Scope Hygiene ViolationDetects ServiceNow AI agents and tools operating outside their declared application scope

ServiceNow Script Safetyโ€‹

Rule IDSeverityNameDescription
SNOW-2.1๐Ÿšจ CriticalUnsafe Script Pattern in Agent ToolDetects unsafe scripting patterns in agent-accessible Script Includes and Script Tools

ServiceNow Skill Kitโ€‹

Rule IDSeverityNameDescription
SNOW-12.1๐Ÿ”ด HighSkill Kit Version DriftDetects sys_gen_ai_skill_applicability records with missing ACLs or version mismatches between skill definitions and agent configurations

ServiceNow Structural Dependencyโ€‹

Rule IDSeverityNameDescription
SNOW-4.1๐Ÿ”ด HighOrphaned Agent Tool ReferenceDetects orphaned or broken references in sn_aia_agent_tool_m2m and sn_aia_usecase definitions

ServiceNow Supply Chainโ€‹

Rule IDSeverityNameDescription
SNOW-26.1๐Ÿ”ด HighSkill Namespace ShadowingDetects duplicate tool/skill labels across scoped applications that can confuse the AI agent's tool selection
SNOW-6.1๐Ÿ”ด HighUpdate Set Missing Agent DependenciesDetects Update Sets containing AI Agent artifacts (sn_aia_*) with missing dependencies, unresolved sys_id references, or integrity violations

ServiceNow Tool Configurationโ€‹

Rule IDSeverityNameDescription
SNOW-1.1๐Ÿšจ CriticalAgent Tool Without Confirmation GateDetects sn_aia_tool definitions configured for autonomous execution (no user confirmation) when they perform operations with side-effects

ServiceNow Trigger Executionโ€‹

Rule IDSeverityNameDescription
SNOW-19.1๐Ÿ”ด HighBusiness Rule Triggering Agent ExecutionDetects Business Rules (sys_script) that invoke AI Agents

ServiceNow Virtual Agentโ€‹

Rule IDSeverityNameDescription
SNOW-14.1๐Ÿ”ด HighVirtual Agent Topic Without Input SanitizationDetects Virtual Agent topics (sys_cs_topic), utterances, and topic-block scripts that process user input without sanitization

Slack Integration Securityโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-14.1๐Ÿ”ด HighSlack Channel Bot Without DLP GuardDetects Bots configured to operate in Slack channel contexts without Data Loss Prevention guards

Structural Dependencyโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-4.2๐Ÿ”ด HighComponent Deactivation CollisionDetects when a prompt template activation record sets accessLevel to 'Blocked' (deactivation) while the template is still referenced by other components

Supply Chain: ToxicSkillsโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-TS-01๐Ÿšจ CriticalHidden Instruction in MarkdownDetects HTML comment blocks or CSS-hidden text in skill documentation (README
AGENTFORCE-TS-02๐Ÿ”ด HighBase64 Payload in Skill FileDetects Base64-encoded strings in markdown skill files whose decoded content matches adversarial instruction patterns or credential formats
AGENTFORCE-TS-03๐Ÿ”ด HighZero-Width Unicode InjectionDetects zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF) in markdown skill files

Unauthorized Actionโ€‹

Rule IDSeverityNameDescription
AGENTFORCE-FLOW-02๐Ÿ”ด HighSilent State Modification via FlowAction targets a Flow containing DML mutations but is invoked without human-in-the-loop confirmation