damn-vulnerable-ai-agent
The AI agent you're supposed to break. 14 agents, 12 vulnerability categories, zero consequences.
Description
The AI agent you're supposed to break. 14 agents, 12 vulnerability categories, zero consequences.
Release History
| Version | Changes | Urgency | Date |
|---|---|---|---|
| 0.7.4 | Imported from npm (0.7.4) | Low | 4/21/2026 |
| v0.7.4 | ## Fixes - **Dockerfile missing `npm install`** (#29): The container image shipped without `node_modules`, causing `ERR_MODULE_NOT_FOUND: Cannot find package 'openai'` on boot. Added `RUN npm install --omit=dev` after the `package.json`/`package-lock.json` copy so production deps actually land in the image. Thanks @dwx007 for reporting. (#31) ## Verification - `docker compose build --no-cache` succeeds - Container boots all 14 agents - `src/playground/engine.js` imports cleanly (the file from | Medium | 4/14/2026 |
| v0.7.3 | ## Audit-driven cleanup: expected-checks.json now reflects real HMA 0.17.8 detection 56 of 85 scenarios had `expected-checks.json` files claiming HMA check IDs that never fire. This release aligns every scenario with what `hackmyagent secure` actually reports. ### What changed - 56 `expected-checks.json` rewritten to only include IDs HMA actually detects (30 now `[]`, 26 pruned). - 56 scenario READMEs: `**Check:**` header rewritten, added `## Detection status` section classifying each deferred | Medium | 4/14/2026 |
| v0.7.2 | Sync README on npm | Medium | 3/25/2026 |
| v0.7.1 | Fix: scenario parser now handles both `**Check:**` and `**Check IDs:**` README formats. All 65 scenarios correctly parsed. | Medium | 3/23/2026 |
| v0.7.0 | ### Added - 8 new Tier 1 research scenarios (53 total): - unicode-stego-package, stego-binary-asset, indirect-prompt-injection-doc - multimodal-injection-image, a2a-worm-propagation, pickle-deserialization - cicd-ai-review-bypass, clipboard-prompt-injection - Score persistence: challenges survive server restarts (.dvaa/scores.json) - Team mode: `--team <name>` for separate scoreboards per team - Timer mode: `--timer <minutes>` for workshop countdown - Scoreboard API: GET /api/scoreboard ag | Medium | 3/23/2026 |
| v0.6.2 | Fix path traversal examples to use absolute paths (sandbox resolves absolute, blocks relative) | Medium | 3/23/2026 |
| v0.6.1 | ### Added - 7 new vulnerability scenarios from OpenClaw audit and Shodan research (46 total) - rate-limit-absent, security-headers-missing, timing-unsafe-auth, query-param-token - docker-provenance-disabled, websocket-preauth-flood, gateway-exposed-openclaw - Formal references on all 45 scenarios (CWEs, OWASP, CVEs, academic papers, published research) - Scenarios dashboard view (browse all 46 scenarios from the web UI) - Emojis removed from all source files ### Stats - 46 vulnerability sce | Medium | 3/23/2026 |
| v0.6.0 | Major release: DVAA becomes an intelligent AI security training platform. ### Added - **LLM-Powered Tutor**: BYOK (Bring Your Own Key) support for OpenAI/Anthropic. Agents respond with real LLM intelligence. AI tutor guides attacks in real-time. - **AI Agent Kill Chain**: 9 stages, 57 techniques mapped to every challenge - **Sandboxed MCP Tools**: Real filesystem operations (path traversal reads real planted files, not hardcoded strings) - **6 Learning Tracks**: Start Here, Prompt Injection, MC | Medium | 3/23/2026 |
| v0.5.0 | ## What's New - **MemoryBot** (port 3007): Persistent memory injection, no sanitization - **LongwindBot** (port 3008): Small context window, displaced safety instructions - **PluginBot** (port 3012): Unverified tool registry, supply chain attacks - **ProxyBot** (port 3013): No TLS pinning, tool MITM - 12 new CTF challenges (L2-L3) - Docker ports updated for new agents - Agent count: 10 -> 14 Note: Docker image auto-publishes to Docker Hub and GHCR on this tag. | Low | 3/17/2026 |
| v0.4.1 | - Remove Ollama references, document OpenAI/Anthropic LLM support - Add Updates section to README | Low | 3/14/2026 |
| v0.4.0 | - Add MCP JSON-RPC and A2A message protocol endpoints | Low | 3/14/2026 |
| v0.3.0 | - Add Prompt Playground with real LLM support (OpenAI, Anthropic) - Docker Hub image publishing with auto-synced description - Updated branding and ecosystem navigation - Port changed to 9000 | Low | 3/14/2026 |
| v0.2.2 | - Add dashboard screenshots to README | Low | 3/14/2026 |
| v0.2.1 | - Add OpenA2A branding link to dashboard navbar | Low | 3/14/2026 |
| v0.2.0 | Initial release of DVAA - Damn Vulnerable AI Agent. - 10 intentionally vulnerable AI agents covering 8 attack classes - Docker Compose deployment with web dashboard - CI with Claude-powered PR review workflow | Low | 3/14/2026 |
Dependencies & License Audit
Loading dependencies...
Similar Packages
@avasis-ai/synthSynthesize any LLM into a production-grade AI agent. Battle-tested agentic patterns, model-agnostic, TypeScript-first.0.6.0
neverinfamous-agent-skillsFoundational AI agent metacognitive skills and workflows for the Adamic ecosystem.1.1.2