Describe the bug
Semantic Kernel (Python) lacks declarative security controls and runtime mid-execution interception/approval mechanisms for Native Functions during Auto Function Invocation.
The specific security flaw lies in the "blind trust" of the execution chain:
-
Missing security attributes at the metadata layer: The @kernel_function decorator (kernel_function_decorator.py) is solely responsible for extracting the function signature for LLM consumption. It does not provide any declarative interfaces for permission level classification or approval requirements (e.g., requires_approval).
-
Unconditional execution at the execution layer: In the invoke_function_call logic of kernel.py, when parsing the FunctionCallContent returned by the LLM, the framework only validates the presence or absence of parameters. Subsequently, it directly invokes the native method (await context.function.invoke) within _inner_auto_function_invoke_handler.
As a result, when the system is subjected to Prompt Injection (such as reverse psychology attacks), if the LLM is deceived into orchestrating high-risk native skills (e.g., sensitive file writing, data deletion), the SK framework will execute these underlying destructive operations directly and without any hindrance.
To Reproduce
Steps to reproduce the behavior:
-
Register a native function involving sensitive operations (e.g., WriteAsync for writing files to the system) and mount it using the @kernel_function decorator.
-
Load this Plugin into the Kernel and configure it to enable Auto Function Invocation.
-
As an external user, submit a malicious Prompt containing "unauthorized/reverse psychology" instructions (e.g., construct a specific context to induce the LLM to ignore original system settings and force the invocation of the aforementioned write function).
-
Tracing the execution stack will reveal: Upon receiving the Tool Call request planned by the LLM, the Kernel directly invokes the underlying write operation without triggering any security interceptors or Human-in-the-Loop (HITL) confirmation mechanisms.
Expected behavior
-
Declarative Security: The @kernel_function decorator should support security attribute tags (e.g., requires_approval=True, risk_level="High").
-
Mid-execution Approval: Built-in permission interceptors or checkpoints should be present in the Kernel.invoke execution stack. When a high-risk function is about to be executed, the system should be able to suspend the task pending authorization based on configurations, or refuse indiscriminate execution, thereby enforcing a Zero Trust architecture.
Screenshots
No runtime logs are provided. This report's conclusions are derived from a static source code security audit of the execution chains in kernel_function_decorator.py, kernel.py, and kernel_function.py.
Platform
- Language: Python
- Source: main branch of repository
- AI model: Any (Mainstream models supporting Tool Calling are affected by this architectural flaw)
- IDE: VS Code
- OS: Mac
Additional context
Large Language Models (LLMs) are inherently highly susceptible to Prompt Injection attacks. Directly and seamlessly mapping untrusted LLM planning results to a high-privilege physical function execution chain poses severe security risks. It is strongly recommended to introduce fine-grained authorization and standard Human-in-the-Loop (HITL) paradigms at the FilterTypes.AUTO_FUNCTION_INVOCATION level as soon as possible.
Describe the bug
Semantic Kernel (Python) lacks declarative security controls and runtime mid-execution interception/approval mechanisms for Native Functions during Auto Function Invocation.
The specific security flaw lies in the "blind trust" of the execution chain:
Missing security attributes at the metadata layer: The @kernel_function decorator (kernel_function_decorator.py) is solely responsible for extracting the function signature for LLM consumption. It does not provide any declarative interfaces for permission level classification or approval requirements (e.g., requires_approval).
Unconditional execution at the execution layer: In the invoke_function_call logic of kernel.py, when parsing the FunctionCallContent returned by the LLM, the framework only validates the presence or absence of parameters. Subsequently, it directly invokes the native method (await context.function.invoke) within _inner_auto_function_invoke_handler.
As a result, when the system is subjected to Prompt Injection (such as reverse psychology attacks), if the LLM is deceived into orchestrating high-risk native skills (e.g., sensitive file writing, data deletion), the SK framework will execute these underlying destructive operations directly and without any hindrance.
To Reproduce
Steps to reproduce the behavior:
Register a native function involving sensitive operations (e.g., WriteAsync for writing files to the system) and mount it using the @kernel_function decorator.
Load this Plugin into the Kernel and configure it to enable Auto Function Invocation.
As an external user, submit a malicious Prompt containing "unauthorized/reverse psychology" instructions (e.g., construct a specific context to induce the LLM to ignore original system settings and force the invocation of the aforementioned write function).
Tracing the execution stack will reveal: Upon receiving the Tool Call request planned by the LLM, the Kernel directly invokes the underlying write operation without triggering any security interceptors or Human-in-the-Loop (HITL) confirmation mechanisms.
Expected behavior
Declarative Security: The @kernel_function decorator should support security attribute tags (e.g., requires_approval=True, risk_level="High").
Mid-execution Approval: Built-in permission interceptors or checkpoints should be present in the Kernel.invoke execution stack. When a high-risk function is about to be executed, the system should be able to suspend the task pending authorization based on configurations, or refuse indiscriminate execution, thereby enforcing a Zero Trust architecture.
Screenshots
No runtime logs are provided. This report's conclusions are derived from a static source code security audit of the execution chains in kernel_function_decorator.py, kernel.py, and kernel_function.py.
Platform
Additional context
Large Language Models (LLMs) are inherently highly susceptible to Prompt Injection attacks. Directly and seamlessly mapping untrusted LLM planning results to a high-privilege physical function execution chain poses severe security risks. It is strongly recommended to introduce fine-grained authorization and standard Human-in-the-Loop (HITL) paradigms at the FilterTypes.AUTO_FUNCTION_INVOCATION level as soon as possible.