Python: [Feature] Memory validation layer to protect against memory poisoning attacks (OWASP AMG integration)

[vgudur-dev]

Scenario

Semantic Kernel's memory features (TextMemoryPlugin, VolatileMemoryStore, connectors) allow agents to store and retrieve information across interactions. However, there's currently no built-in validation to prevent memory poisoning attacks — where adversarial content gets stored in memory and alters agent behavior in subsequent sessions.

This is now a documented attack class: Memory Poisoning Attacks in LLM Agents (arxiv, June 2026)

Proposal

Add an optional memory validation layer that scans entries before they're persisted to any IMemoryStore implementation. This could be implemented as:

1. A middleware/decorator pattern for IMemoryStore
2. A configurable validation step in the memory pipeline

There's an existing open-source solution that already supports Semantic Kernel: OWASP Agent Memory Guard

What it detects:

• Prompt injection hidden in memory entries
• Instruction override attempts ("ignore previous instructions...")
• Persona/identity manipulation
• Cross-session persistence attacks
• Encoding-based obfuscation (base64, hex, rot13)

Integration example (Python SK):

from agent_memory_guard import MemoryGuard
from semantic_kernel.memory import SemanticTextMemory

guard = MemoryGuard()

# Validate before saving to memory
async def save_with_validation(memory: SemanticTextMemory, collection, text, id):
    result = guard.scan(text)
    if result.is_safe:
        await memory.save_information(collection, text, id)
    else:
        raise MemoryPoisoningError(f"Blocked: {result.threat_type}")

Key details:

• pip install agent-memory-guard
• 98.7% detection rate, <2ms latency per validation
• OWASP Incubator project (Apache 2.0)
• Already has integrations for CrewAI, AutoGen, LangChain, and Semantic Kernel

Benefits

• Protects SK agents from having their behavior silently altered via poisoned memories
• Complements existing SK security practices
• Minimal performance impact (<2ms per memory operation)
• Could be opt-in via configuration

[ferhimedamine]

Memory poisoning is a real attack surface, and the validation-before-persist pattern proposed here is the right entry point. One thing worth adding to the defense model: poisoning detection at write time is necessary but not sufficient. A well-crafted poisoned memory can pass scan heuristics (no obvious "ignore previous instructions" patterns) and still corrupt agent behavior when retrieved alongside legitimate memories in a future session.

The complementary defense we found effective is importance-weighted decay on the retrieval side. If a memory entry is never accessed or reinforced by subsequent interactions, its effective retrieval score decays over time — so even if a poisoned entry passes the write-time scan, it naturally fades from recall results unless something actively references it. Combined with provenance metadata (which agent wrote it, when, at what confidence level), the consuming agent has enough signal to treat low-provenance or low-importance memories as claims rather than facts.

For the middleware decorator pattern you proposed: making it work across all IMemoryStore implementations is the right architecture. We took a similar approach with our memory server — validation and importance scoring happen server-side so individual agent implementations do not need to reimplement the defense. The Rust SDK at https://github.com/dakera-ai/dakera-rs shows how the client-side stays clean while the server handles scanning, scoring, and decay transparently.