Custodia.dev is an automated OWASP LLM Top 10 scanner that detects all 10 AI-specific vulnerability categories — including LLM01 Prompt Injection, LLM02 Insecure Output Handling, LLM04 Model DoS, and LLM08 Excessive Agency — directly from your source code via static analysis and Claude-powered deep inspection. It runs via a single CLI command (custodia scan .), requires zero configuration, and auto-detects LLM usage across OpenAI, Anthropic, LangChain, Vercel AI SDK, and HuggingFace integrations. No other scanner on the market covers more than 1 of the 10 OWASP LLM categories.
The OWASP LLM Top 10 is a framework published by the Open Worldwide Application Security Project specifically for applications that use large language models. It identifies the 10 most critical security risks unique to AI-powered systems — threats that simply did not exist before LLMs became embedded in production applications.
The classic OWASP Top 10 covers injection flaws, broken access control, and cryptographic failures that apply to any web application. The LLM Top 10 adds an entirely new threat model: the LLM itself is an attack surface. Prompt injection doesn't exist in traditional apps. Excessive agency — giving an AI too much autonomy — is a uniquely LLM problem. These require different detection logic, which is why conventional scanners are blind to them.
Any developer shipping an application that calls an LLM API — even a simple chatbot or summarization feature — is exposed to all 10 categories. Under the EU AI Act (Articles 9, 13, and 14), organizations deploying AI systems with real-world impact now have a legal obligation to document and mitigate these risks. OWASP LLM Top 10 compliance is increasingly cited in investor due diligence and enterprise security questionnaires.
Below: what each category means, detectable code patterns, and how to fix them. Categories marked with a code example are statically detectable by Custodia.
An attacker manipulates an LLM through crafted input, causing it to execute unintended instructions or ignore its system prompt. The primary vector: user-controlled data interpolated directly into the system role.
// ❌ VULNERABLE — LLM01 Prompt Injection
const response = await openai.chat.completions.create({
model: 'gpt-4o',
messages: [
{
role: 'system',
content: `You are a helpful assistant. Context: ${userMessage}`,
// ^^^^^^^^^^^^^^
// Raw user input in system role = injection attack surface
},
],
});// ✅ SAFE — Isolate user input in user role
const response = await openai.chat.completions.create({
model: 'gpt-4o',
messages: [
{ role: 'system', content: 'You are a helpful assistant.' },
{ role: 'user', content: userMessage },
// ^ user-controlled input stays in user role
],
});LLM responses are passed downstream without validation — into HTML renderers, database writes, or function calls. A compromised or injected model can use this to execute XSS, SQL injection, or SSRF.
// ❌ VULNERABLE — LLM02 Insecure Output Handling
// LLM response injected directly into DOM — XSS vector
const reply = await openai.chat.completions.create({ ... });
return (
<div dangerouslySetInnerHTML={{ __html: reply.choices[0].message.content }} />
);// ✅ SAFE — Sanitize before DOM injection
import DOMPurify from 'isomorphic-dompurify';
const raw = reply.choices[0].message.content;
const clean = DOMPurify.sanitize(raw);
return <div dangerouslySetInnerHTML={{ __html: clean }} />;Malicious data injected into training or fine-tuning pipelines introduces backdoors or biases. Custodia checks for data-source validation gates, access controls on training datasets, and logging of fine-tune jobs.
Attackers send resource-exhausting inputs: unbounded context windows, recursive prompts, or flooding completions endpoints. Without token caps and rate limiting, LLM API costs can spike to five figures overnight.
// ❌ VULNERABLE — LLM04 Model DoS
// No token cap — adversarial input can exhaust quota
const response = await openai.chat.completions.create({
model: 'gpt-4o',
messages: [{ role: 'user', content: userInput }],
// missing: max_tokens, no rate limiting middleware
});// ✅ SAFE — Token cap + rate limiting
import rateLimit from 'express-rate-limit';
// Rate limit: 10 requests/minute per IP
app.use('/api/chat', rateLimit({ windowMs: 60_000, max: 10 }));
const response = await openai.chat.completions.create({
model: 'gpt-4o',
messages: [...],
max_tokens: 1000, // hard cap per request
});Vulnerable or malicious third-party LLM packages, plugins, and model providers. Custodia checks your LLM SDK versions against known CVEs and flags outdated dependencies.
PII, secrets, or proprietary data sent to external LLM APIs. A GDPR and data governance risk — your users' data leaves your perimeter and enters a third-party model's context window.
// ❌ VULNERABLE — LLM06 Sensitive Information Disclosure
// PII sent to external LLM API — GDPR Article 44 risk
const prompt = `Summarize this customer record:
Email: ${user.email}
SSN: ${user.ssn}
Card: ${user.creditCard}`;// ✅ SAFE — Strip PII before inference
const prompt = `Summarize this customer record:
ID: ${user.id}
Tier: ${user.plan}
Joined: ${user.createdAt}`;
// Only non-sensitive identifiers sent to LLMLLM-callable tools (function calling / tool use) lack input validation and sandboxing. A single malformed tool call can expose internal APIs or execute unintended operations.
The LLM is granted more capability than necessary: write access to production systems, ability to delete data, or authority to send external communications — all without human approval gates.
// ❌ VULNERABLE — LLM08 Excessive Agency
// LLM can delete database with no human checkpoint
const tools = [{
type: 'function',
function: {
name: 'delete_all_user_data',
description: 'Permanently delete all user records',
// No human approval step defined
}
}];// ✅ SAFE — Human approval gate before destructive actions
async function delete_all_user_data() {
const approved = await requestHumanApproval({
action: 'PERMANENT: Delete all user data',
severity: 'CRITICAL',
timeoutMs: 30_000,
});
if (!approved) throw new Error('Rejected by human oversight layer');
// proceed only after explicit human sign-off
}Systems or users trust LLM outputs without verification gates, leading to automated actions based on hallucinated or incorrect information. Custodia checks for human review checkpoints on high-consequence LLM decisions.
Unauthorized access to proprietary model weights, fine-tuning data, or system prompts via API abuse. Custodia checks for exposed model endpoints and missing authentication on inference APIs.
We ran each of these tools against an intentionally vulnerable LangChain application containing all 10 OWASP LLM vulnerability categories. The results below are based on each tool's documented rule sets and public documentation as of March 2026.
| OWASP LLM Category | Snyk | Semgrep | SonarCloud | Bearer | Custodia |
|---|---|---|---|---|---|
| LLM01 Prompt Injection | ✗ | ✗ | ✗ | ✗ | ✓ |
| LLM02 Insecure Output Handling | ✗ | ✗ | ✗ | ✗ | ✓ |
| LLM03 Training Data Poisoning | ✗ | ✗ | ✗ | ✗ | ✓ |
| LLM04 Model DoS | ✗ | ✗ | ✗ | ✗ | ✓ |
| LLM05 Supply Chain | ✓ | ✗ | ✗ | ✗ | ✓ |
| LLM06 Sensitive Info Disclosure | ✗ | ✗ | ✗ | ✓ | ✓ |
| LLM07 Insecure Plugin Design | ✗ | ✗ | ✗ | ✗ | ✓ |
| LLM08 Excessive Agency | ✗ | ✗ | ✗ | ✗ | ✓ |
| LLM09 Overreliance | ✗ | ✗ | ✗ | ✗ | ✓ |
| LLM10 Model Theft | ✗ | ✗ | ✗ | ✗ | ✓ |
| Total Coverage | 1/10 | 0/10 | 0/10 | 1/10 | 10/10 |
Based on public documentation, release notes, and rule set analysis. Snyk and Bearer receive partial credit for LLM05 and LLM06 respectively via general CVE/PII detection — but neither maps findings to OWASP LLM categories or detects prompt-level vulnerabilities.
Three commands. No YAML files. No integration guides. Custodia is deliberately zero-config — it reads your .gitignore, skips build artifacts, and routes each file to the appropriate security agent automatically.
# Install globally via npm npm install -g @custodia/cli # Verify custodia --version
# Get your API key at custodia.dev/dashboard custodia auth --key YOUR_API_KEY # ✓ Authenticated. Key stored at ~/.custodia
# From your project root — scans everything custodia scan . # Or target a specific directory custodia scan ./src/backend
Quota note: Free tier includes 3 scan credits + 5 diff scans/month. The AI Security Agent (OWASP LLM Top 10) runs on Pro ($39/mo) and above. If your codebase has no LLM usage, the AI agent is skipped entirely — no quota consumed, no extra latency.
Every finding on Pro ($39/mo) and above ships with an engineered, code-specific fix prompt generated by Claude — ready to paste directly into Cursor, GitHub Copilot, or Claude Code. The prompt includes the exact file, line, vulnerability class, and a framework-mapped remediation strategy.
For LLM01 in a Next.js API route, you'd get a fix prompt that understands your existing middleware stack, not a generic "separate system from user input" suggestion. This is what makes the difference between a security scan that generates a Jira ticket and one that closes the vulnerability in 10 minutes.
Yes. Custodia auto-detects LLM usage across OpenAI SDK, Anthropic SDK, LangChain, LlamaIndex, Vercel AI SDK, and HuggingFace. The OWASP LLM Top 10 agent activates automatically when any of these are detected — no configuration required. Non-AI projects skip the agent entirely.
Custodia traces variable flows into system prompt fields. It flags cases where user-controlled input — from request bodies, query parameters, or database values — is interpolated into the system role of a chat completion call. This is the primary LLM01 attack vector in real-world codebases.
Custodia uses combined static analysis and Claude-powered contextual reasoning to minimize false positives. Each finding includes a severity, a specific file/line location, and the detection reasoning — so you can review the evidence before patching. In our testing, false positive rates on LLM01 and LLM02 are under 5%.
No. Source code is never retained beyond inference. Every agent system prompt includes a confidentiality directive. Only structured JSON findings pass through to the compliance and synthesis stages — your code never reaches persistent storage. Reports are stored independently of source.
Snyk and Semgrep cover traditional cybersecurity (OWASP Top 10, CVEs, dependency vulnerabilities) well — but have zero coverage for OWASP LLM Top 10 vulnerability categories. Custodia covers both traditional and AI-specific security in one scan, making it the only single-tool solution for developers shipping LLM features.
Free — 3 scan credits against OWASP Top 10 + AI basics. Pro ($39/mo) unlocks OWASP LLM Top 10, NIST AI RMF, and EU AI Act. See pricing →