Labels

• area/deputies

  Confused deputy and privilege escalation
• area/evasion

  Evasion, persistence, jailbreaks
• area/exfiltration

  Data exfiltration channels and techniques
• area/function-call

  Function calling and tool_use exploitation
• area/harness

  Test harness, agent connectors, execution engine
• area/injection

  Direct, indirect, multimodal, RAG, cross-agent injection
• area/mcp

  MCP protocol attacks and tool poisoning
• area/reports

  Reporting, benchmarks, output formatting
• blocked

  Blocked by another issue or external dependency
• dependencies

  Pull requests that update a dependency file
• duplicate

  Already exists
• effort/large

  A week+, significant design needed
• effort/medium

  A few days, may span modules
• effort/small

  A few hours, single module
• framework/anthropic

  Anthropic tool_use and Claude integrations
• framework/autogen

  Microsoft AutoGen framework
• framework/crewai

  CrewAI multi-agent framework
• framework/langchain

  LangChain and LangGraph agents
• framework/mcp

  Model Context Protocol servers and clients
• framework/openai

  OpenAI Assistants API and Agents SDK
• framework/semantic-kernel

  Microsoft Semantic Kernel
• github_actions

  Pull requests that update GitHub Actions code
• good-first-issue

  Good for newcomers
• help-wanted

  Extra attention needed from community
• needs-design

  Requires design discussion before implementation
• needs-info

  More detail required
• owasp/llm01-prompt-injection

  OWASP LLM01: Prompt Injection
• owasp/llm02-sensitive-disclosure

  OWASP LLM02: Sensitive Information Disclosure
• owasp/llm05-improper-output

  OWASP LLM05: Improper Output Handling
• owasp/llm06-excessive-agency

  OWASP LLM06: Excessive Agency