Scoring
Scores start at 100 and deduct per finding, with caps per category to prevent one domain from dominating the result.| Severity | Points per finding | Category cap |
|---|---|---|
| CRITICAL | −15 | −60 |
| HIGH | −8 | −40 |
| MEDIUM | −3 | −20 |
| LOW | −1 | −10 |
Grades
| Grade | Score range |
|---|---|
| A | 90–100 |
| B | 75–89 |
| C | 60–74 |
| D | 40–59 |
| F | 0–39 |
Drako produces two independent scores: Governance (are your agents safe?) and Determinism (will they behave consistently?). Both use the same 0–100 scale and grading system.
Categories overview
Security
SEC-001 → SEC-011 — Hardcoded secrets, prompt injection, code execution, filesystem and network access.
Governance
GOV-001 → GOV-011 — Audit logging, human-in-the-loop, self-modifying prompts, fallback logic.
Compliance
COM-001 → COM-005 — EU AI Act Articles 9, 11, 12, and 14 gaps.
Determinism
DET-001 → DET-007 — Temperature, timeouts, retries, iteration limits, seeds.
Vendor concentration
VCR-001 → VCR-003 — Same vendor across model, framework, cloud, and governance layers.
Framework-specific
FW-001 → FW-010 — CrewAI delegation, AutoGen code execution defaults, LangGraph state.
Operational boundaries
ODD-001 → ODD-004 — Boundary definitions, unrestricted tools, spend caps.
Magnitude
MAG-001 → MAG-003 — Spend caps, rate limits, unclassified data access.
Identity
ID-001 → ID-003 — Static credentials, shared credentials, missing identity.
Multi-agent
MULTI-001 → MULTI-004 — Topology monitoring, circular dependencies, contention protection.
Hooks
HOOK-001 → HOOK-003 — Pre-action validation, session-end gates, hook timeouts.
Versioning
CV-001 → CV-002 — Policy versioning, audit log policy references.
FinOps
FIN-001 → FIN-003 — Cost tracking, model selection, response caching.
Resilience
RES-001 → RES-002 — Fallbacks for critical ops, state preservation.
A2A
A2A-001 → A2A-003 — Agent-to-agent auth, inter-agent input validation.
Best practices
BP-001 → BP-005 — Framework versions, test coverage, tool count.
Rules by category
Security (SEC-001 → SEC-011)
Security (SEC-001 → SEC-011)
Security rules detect risks that expose your agent system to direct attack or compromise. These span credential management, injection vectors, input/output handling, and code execution.
Standards referenced: CWE-798, CWE-22, CWE-918, CWE-94, CWE-20, CWE-74, CWE-79, CWE-352, OWASP Top 10 for LLM, NIST AI RMFRelated advisories: DRAKO-ABSS-2026-001 (Prompt Injection), DRAKO-ABSS-2026-006 (Sensitive Information Disclosure), DRAKO-ABSS-2026-007 (Insecure Plugin Design)
| Rule ID | Severity | What it checks |
|---|---|---|
| SEC-001 | CRITICAL | API key hardcoded in source code |
| SEC-002 | CRITICAL | Secrets in prompts or configuration |
| SEC-003 | HIGH | Unrestricted filesystem access in tool |
| SEC-004 | HIGH | Unrestricted network access in tool |
| SEC-005 | CRITICAL | Arbitrary code execution in tool (exec, eval, os.system) |
| SEC-006 | MEDIUM | No input validation on tool parameters |
| SEC-007 | HIGH | Prompt injection vulnerability (user input in f-strings) |
| SEC-008 | CRITICAL | No input sanitization on tool results from external sources |
| SEC-009 | HIGH | Agent processes untrusted external data in prompt context |
| SEC-010 | HIGH | No prompt injection defense configured |
| SEC-011 | HIGH | No intent verification on high-impact actions |
Governance (GOV-001 → GOV-011)
Governance (GOV-001 → GOV-011)
Governance rules detect missing controls for observing, limiting, and overseeing agent behavior in production.
Standards referenced: EU AI Act Art. 12, 14; NIST AI RMF GV-1.1, GV-1.5, GV-4.1, MS-2.5, MS-2.7; CWE-284, CWE-294, CWE-755, CWE-770Related advisories: DRAKO-ABSS-2026-008 (Excessive Agency), DRAKO-ABSS-2026-025 (Tool-Abuse Injection)
| Rule ID | Severity | What it checks |
|---|---|---|
| GOV-001 | HIGH | No audit logging configured |
| GOV-002 | MEDIUM | No policy enforcement middleware |
| GOV-003 | MEDIUM | No rate limiting on tool calls |
| GOV-004 | HIGH | No human-in-the-loop for destructive actions |
| GOV-005 | MEDIUM | No circuit breaker configured |
| GOV-006 | CRITICAL | Agent can modify its own system prompt at runtime |
| GOV-007 | MEDIUM | No per-tool failure handling |
| GOV-008 | HIGH | No fallback for critical tools (payment, write, execute, deploy) |
| GOV-009 | CRITICAL | Agent can execute destructive actions autonomously |
| GOV-010 | HIGH | No escalation path defined |
| GOV-011 | HIGH | Action replay vulnerability — no nonce or idempotency key |
Compliance (COM-001 → COM-005)
Compliance (COM-001 → COM-005)
Compliance rules detect gaps against specific EU AI Act articles. High-risk system requirements take effect August 2, 2026.
Standards referenced: EU AI Act Art. 9, 11, 12, 14
| Rule ID | Severity | What it checks |
|---|---|---|
| COM-001 | HIGH | No automatic logging (EU AI Act Art. 12) |
| COM-002 | HIGH | No human oversight mechanism (EU AI Act Art. 14) |
| COM-003 | MEDIUM | No technical documentation (EU AI Act Art. 11) |
| COM-004 | MEDIUM | No risk management documentation (EU AI Act Art. 9) |
| COM-005 | MEDIUM | No Agent BOM / inventory maintained (EU AI Act Art. 11) |
The source repo’s
docs/rules/index.md lists COM-001 through COM-006. The sixth compliance rule (COM-006) covers the absence of a HITL checkpoint for high-risk actions (CRITICAL, EU AI Act Art. 14).Determinism (DET-001 → DET-007)
Determinism (DET-001 → DET-007)
Determinism rules detect configurations that make agent behavior unpredictable or unrepeatable. These findings feed the separate Determinism score.
Standards referenced: NIST AI RMF MS-2.5, MS-2.7
| Rule ID | Severity | What it checks |
|---|---|---|
| DET-001 | MEDIUM | LLM temperature not explicitly set |
| DET-002 | MEDIUM | No timeout configured on LLM calls |
| DET-003 | LOW | No retry logic on LLM calls |
| DET-004 | MEDIUM | No iteration limit on agent loops |
| DET-005 | LOW | No random seed set |
| DET-006 | MEDIUM | No output schema validation |
| DET-007 | LOW | Non-deterministic tool ordering |
Vendor concentration (VCR-001 → VCR-003)
Vendor concentration (VCR-001 → VCR-003)
Vendor concentration rules detect when your model, framework, and governance layers all come from the same vendor — flagging audit independence risk that vendor-affiliated tools have no incentive to report.
Standards referenced: NIST AI RMF GV-1.3, EU AI Act Art. 9
| Rule ID | Severity | What it checks |
|---|---|---|
| VCR-001 | MEDIUM | Same vendor for model and framework layer |
| VCR-002 | MEDIUM | Same vendor for framework and cloud infrastructure |
| VCR-003 | HIGH | Same vendor across model, framework, cloud, and governance |
Framework-specific (FW-001 → FW-010)
Framework-specific (FW-001 → FW-010)
Framework-specific rules detect known governance gaps in the frameworks you use, including default configurations that ship insecure.
Related advisories: DRAKO-ABSS-2026-016 (CrewAI Tool Output Injection), DRAKO-ABSS-2026-017 (LangChain Unsafe Deserialization), DRAKO-ABSS-2026-018 (AutoGen Unrestricted Code Execution), DRAKO-ABSS-2026-020 (CrewAI Delegation Hijacking)
| Rule ID | Severity | Framework | What it checks |
|---|---|---|---|
| FW-001 | HIGH | CrewAI | Unrestricted code execution via allow_code_execution |
| FW-002 | HIGH | CrewAI | No memory isolation between agents |
| FW-003 | MEDIUM | CrewAI | Uncontrolled delegation (allow_delegation=True by default) |
| FW-004 | HIGH | LangGraph | Unrestricted ToolNode without allowlist |
| FW-005 | MEDIUM | LangGraph | No checkpointing (MemorySaver or equivalent) |
| FW-006 | CRITICAL | AutoGen | LocalCommandLineCodeExecutor without Docker sandboxing |
| FW-007 | HIGH | AutoGen | No output validation on code executor results |
| FW-008 | HIGH | Semantic Kernel | Auto-imported plugins without permission review |
| FW-009 | MEDIUM | Semantic Kernel | No cost guard on planner invocations |
| FW-010 | LOW | PydanticAI | Untyped tool return values |
Operational boundaries (ODD-001 → ODD-004)
Operational boundaries (ODD-001 → ODD-004)
Operational boundary rules detect when agents lack defined Operational Design Domains (ODDs) — explicit limits on where, when, and how an agent can act.
Standards referenced: NIST AI RMF GV-1.1, GV-1.3; CWE-269, CWE-400
| Rule ID | Severity | What it checks |
|---|---|---|
| ODD-001 | CRITICAL | No operational boundary definition (no ODD configured) |
| ODD-002 | HIGH | Unrestricted tool access — no per-agent allowlist |
| ODD-003 | HIGH | No spend cap (no max_tokens or budget limit) |
| ODD-004 | MEDIUM | No time constraints (timeout, max_iterations, time_limit) |
Magnitude (MAG-001 → MAG-003)
Magnitude (MAG-001 → MAG-003)
Magnitude rules detect missing financial and operational ceilings. Without magnitude limits, a compromised or runaway agent has unbounded access to spend, compute, and data.
Standards referenced: NIST AI RMF MS-2.7; CWE-269, CWE-770Related advisories: DRAKO-ABSS-2026-004 (Model DoS via Resource Exhaustion), DRAKO-ABSS-2026-010 (Unbounded Consumption)
| Rule ID | Severity | What it checks |
|---|---|---|
| MAG-001 | CRITICAL | No spend cap defined (no daily/monthly budget in .drako.yaml) |
| MAG-002 | HIGH | No rate limit defined on agent iterations or tool calls |
| MAG-003 | HIGH | Sensitive data access without clearance or classification |
Identity (ID-001 → ID-003)
Identity (ID-001 → ID-003)
Identity rules detect credential management problems that prevent per-agent auditability and revocation.
Standards referenced: CWE-798, CWE-522; OWASP A07:2021; NIST AI RMF GV-1.3
| Rule ID | Severity | What it checks |
|---|---|---|
| ID-001 | CRITICAL | Static credentials hardcoded in agent code |
| ID-002 | HIGH | No identity definition for agent (no unique identity or DID) |
| ID-003 | HIGH | Shared credentials across multiple agents |
Multi-agent (MULTI-001 → MULTI-004)
Multi-agent (MULTI-001 → MULTI-004)
Multi-agent rules detect coordination risks that emerge when two or more agents interact — including circular dependencies, shared resource contention, and missing observability.
Standards referenced: NIST AI RMF MS-2.3, MS-2.5; CWE-362, CWE-835Related advisories: DRAKO-ABSS-2026-020 (CrewAI Delegation Hijacking)
| Rule ID | Severity | What it checks |
|---|---|---|
| MULTI-001 | HIGH | Multi-agent system without topology monitoring |
| MULTI-002 | CRITICAL | Circular agent dependency detected via AST analysis |
| MULTI-003 | HIGH | Shared resource without contention protection (race condition risk) |
| MULTI-004 | MEDIUM | No chaos testing or fault injection configured |
Hooks (HOOK-001 → HOOK-003)
Hooks (HOOK-001 → HOOK-003)
Hook rules detect missing lifecycle controls in
Standards referenced: NIST AI RMF GV-1.3, GV-4.1; CWE-400
.drako.yaml. Hooks let you inject custom validation before tool execution and at session end.| Rule ID | Severity | What it checks |
|---|---|---|
| HOOK-001 | MEDIUM | No pre-action validation hooks configured |
| HOOK-002 | MEDIUM | No session-end gate (on_session_end hook) configured |
| HOOK-003 | LOW | Hook script defined without timeout_ms |
Context versioning (CV-001 → CV-002)
Context versioning (CV-001 → CV-002)
Versioning rules detect when policy changes are untracked, making it impossible to determine which rules were active at the time of an incident.
Standards referenced: EU AI Act Art. 12; NIST AI RMF GV-4.1
| Rule ID | Severity | What it checks |
|---|---|---|
| CV-001 | HIGH | No policy versioning — no Drako platform connection (api_key_env, endpoint) |
| CV-002 | MEDIUM | Audit logging configured but no platform connection to reference policy versions |
FinOps (FIN-001 → FIN-003)
FinOps (FIN-001 → FIN-003)
FinOps rules detect missing cost controls. Without tracking, you cannot report spend, detect anomalies, or enforce budgets.
Standards referenced: NIST AI RMF MS-2.7
| Rule ID | Severity | What it checks |
|---|---|---|
| FIN-001 | HIGH | No cost tracking on LLM calls |
| FIN-002 | MEDIUM | Single model for all tasks — no cost optimization |
| FIN-003 | MEDIUM | No response caching configured |
Resilience (RES-001 → RES-002)
Resilience (RES-001 → RES-002)
Resilience rules detect missing recovery paths. When a critical tool or agent fails, these controls determine whether the system degrades gracefully or crashes.
Standards referenced: NIST AI RMF MS-2.5
| Rule ID | Severity | What it checks |
|---|---|---|
| RES-001 | HIGH | No fallback defined for critical operations (payment, write, execute) |
| RES-002 | MEDIUM | No state preservation on agent failure (no checkpointing) |
Agent-to-agent (A2A-001 → A2A-003)
Agent-to-agent (A2A-001 → A2A-003)
A2A rules detect security gaps in how agents communicate with each other. Without mutual authentication and message validation, a compromised agent can inject malicious instructions throughout the pipeline.
Standards referenced: NIST AI RMF GV-1.3; CWE-287, CWE-653, CWE-74Related advisories: DRAKO-ABSS-2026-023 (Indirect Prompt Injection), DRAKO-ABSS-2026-024 (Multi-Turn Context Manipulation)
| Rule ID | Severity | What it checks |
|---|---|---|
| A2A-001 | HIGH | No agent-to-agent authentication configured |
| A2A-002 | CRITICAL | Agent accepts unvalidated input from other agents |
| A2A-003 | HIGH | No isolation between agent communication channels |
Best practices (BP-001 → BP-005)
Best practices (BP-001 → BP-005)
Best practice rules detect patterns that increase operational risk without necessarily being security vulnerabilities.
Standards referenced: NIST AI RMF MS-2.11
| Rule ID | Severity | What it checks |
|---|---|---|
| BP-001 | LOW | Framework is behind the latest major version |
| BP-002 | MEDIUM | No tests referencing agent names |
| BP-003 | LOW | No retry or backoff logic on LLM calls |
| BP-004 | MEDIUM | No timeout on tool executions |
| BP-005 | LOW | More than 10 tools registered on a single agent |
Suppressing rules
To suppress a specific rule for a file or project, add asuppress block to your .drako.yaml: