Virtual Agent Scanning
SquireX scans Virtual Agent topic configurations (sys_cs_topic), NLU utterance definitions, and topic-block scripts for injection vectors and unauthorized data access patterns.
Threat Modelโ
ServiceNow Virtual Agent is a conversational AI deployment that processes user utterances through NLU models and routes them to topic flows. When integrated with Now Assist:
- Topic-block scripts execute user input โ utterances are attacker-controlled
- Channel bridging โ Microsoft Teams/Slack spokes relay messages without platform-level sanitization
- Utterance training data poisoning โ crafted training examples can bias NLU routing toward privileged topics
Rulesโ
SNOW-14.1 โ Virtual Agent Topic Without Input Sanitizationโ
Severity: High
Detects sys_cs_topic definitions with script blocks that process user input without sanitization.
// โ VULNERABLE โ raw user input passed to script block
(function execute() {
var userInput = input.text; // Attacker-controlled!
var gr = new GlideRecord('incident');
gr.addQuery('short_description', 'CONTAINS', userInput);
gr.query();
// Result returned to agent context โ potential data exfiltration
})(inputs, outputs);
// โ
SECURE โ sanitized and bounded
(function execute() {
var userInput = GlideSPScriptable.sanitize(input.text);
if (userInput.length > 200) {
output.error = 'Input too long';
return;
}
var gr = new GlideRecordSecure('incident');
gr.setLimit(10);
gr.addQuery('short_description', 'CONTAINS', userInput);
gr.query();
})(inputs, outputs);
SNOW-9.2 โ Inbound Email Action Triggers Agentโ
Severity: Critical
Detects inbound email action scripts that pass unsanitized email body/subject content to AI agents. Email is a classic injection vector where attacker-controlled content enters the agent's context.
Remediation: Strip HTML, limit input length, and validate against known injection patterns before passing email content to the agent.
Channel-Specific Risksโ
| Channel | Risk | Mitigation |
|---|---|---|
| Web Chat | Direct user input injection | Client-side length limits + server-side sanitization |
| Microsoft Teams | Adaptive card data exfiltration | DLP guard on outbound messages |
| Slack | Slash command injection | Input validation on Slack spoke |
| Body/subject prompt injection (SNOW-9.2) | HTML stripping + content classification | |
| SMS | Character encoding attacks | UTF-8 normalization |
Integration with SNOW Rule Taxonomyโ
| Rule | What It Catches | Component |
|---|---|---|
| SNOW-14.1 | Unsanitized topic scripts | sys_cs_topic blocks |
| SNOW-9.1 | Prompt injection in instructions | sn_aia_agent instructions |
| SNOW-9.2 | Inbound email injection | sysevent_email_action |
| SNOW-21.1 | PII leakage via VA responses | Topic output to channel |