Agent Frameworks

The Agent Frameworks layer is where the agent’s reasoning, planning, and tool execution happen. It encompasses the orchestration logic that decides which tools to call, in what sequence, with what arguments, and how to incorporate results back into the agent’s context. Commercially deployed frameworks (LangChain, AutoGen, CrewAI, LlamaIndex Agents, Semantic Kernel) all live at this layer, as does any custom orchestration code the team writes around them. This is also the layer where planning loops, reflection cycles, and self-correction behaviours run.

What lives here

• Agent orchestration frameworks (LangChain, AutoGen, CrewAI, Semantic Kernel, LlamaIndex)
• Custom agent runtimes and orchestration wrappers written around framework primitives
• Planning and multi-step reasoning loops (ReAct, chain-of-thought, tree-of-thought)
• Reflection and self-correction logic (critique-revise cycles, plan validation)
• Tool routing: the mapping from agent intent to tool invocation, argument construction, and result handling
• Function-calling and structured-output parsing (JSON schema enforcement, argument validation)
• MCP client-side logic: how the framework issues MCP requests and interprets MCP responses
• Agent-to-agent delegation: how the framework dispatches subtasks to peer agents
• Context window management: what gets summarised, truncated, or evicted from the prompt

This layer is the most complex in a typical agentic deployment. It sits above the data plane (L2) and below the infrastructure that hosts it (L4), and it is the primary surface where attacker-controlled input (via prompt injection, poisoned tool output, or manipulated inter-agent messages) is acted upon rather than merely stored.

Concrete example: A CrewAI deployment uses a researcher agent and a writer agent, both backed by a shared tool registry that includes a web-search tool and a file-write tool. An attacker embeds a prompt-injection payload in a public webpage the researcher fetches; the payload instructs the CrewAI orchestrator to add file-write to the writer agent’s next call, exfiltrating internal context to an attacker-controlled URL. The tool-routing logic at L3 is the surface that fails, not the model or the infrastructure.

Threats that target this layer

• T2 Tool Misuse: the framework’s tool-routing logic can be manipulated by adversarial prompts to call tools with unintended arguments, call the wrong tool, or chain tool calls in sequences the operator never authorised. Because the agent constructs tool arguments from model output, T2 is inherently a L3 threat.
• T6 Intent Breaking and Goal Manipulation: planning and reflection loops can be manipulated mid-task to redirect the agent toward attacker-controlled goals. An agent that re-evaluates its plan in response to tool output or peer messages is susceptible to goal substitution at each reflection cycle.
• T5 Cascading Hallucination Attacks: frameworks that pass tool output directly into the next model call without validation create a pipeline where one hallucinated or attacker-fabricated output becomes the authoritative input for the next step.
• T11 Unexpected RCE and Code Attacks: frameworks that include code-execution tools (Python REPL, shell, SQL query constructors) expose a code-generation and execution surface. Adversarial prompt injection at L3 can produce malicious code that the framework then executes via a code tool.
• T16 Insecure Inter-Agent Protocol Abuse: the framework’s handling of MCP and A2A protocol messages is an L3 concern. Frameworks that trust tool descriptions at face value, or that do not validate response schemas, are susceptible to protocol-layer injection.

Mitigations anchored here

• input sanitisation: sanitize all content that enters the agent’s context before it reaches the planning loop. Covers user input, tool output, retrieved chunks, and peer-agent messages, each of which is a potential prompt-injection surface.
• least-privilege tool scoping: enforce a per-agent tool allowlist at the framework layer. The agent may only call tools in its declared scope; any out-of-scope call is rejected before execution, regardless of what the model requested.
• plan-vs-goal validation: validate agent plans (explicit ReAct plans, CoT chains, or structured action sequences) against a policy before execution begins. Catch goal-substitution (T6) and out-of-scope tool selection (T2) before the first real-world action runs.
• context isolation: prevent context from one agent’s session leaking into another’s. In frameworks that share a context store or prompt cache, isolation is a structural prerequisite for multi-tenant safety.
• MCP response sanitisation: validate MCP server responses against declared schema before injecting them into the agent’s context. Prevents protocol-layer injection (T16) from reaching the planning loop.
• reflection-loop depth cap: bound the number of reflection or critique-revise cycles the framework will execute per task. Unbounded reflection enables goal-drift amplification (T6) and resource exhaustion (T4) via recursive planning.
• code-generation review gate: require static analysis or sandboxed execution review before code generated by the agent is run by a code-execution tool. The primary L3 control for T11.

How L3 relates to its neighbours

L3 consumes data from L2 Data Operations (retrieval results, shared memory, prompt templates) and issues execution requests to L4 Deployment Infrastructure (tool calls that run in containers, shell commands, API calls). A failure of trust at L2 (poisoned retrieval) becomes a planning failure at L3. A planning failure at L3 (tool misuse) becomes an infrastructure-level consequence at L4.

L3 is also the layer that most directly implements the controls recommended by L6 Security and Compliance: policy enforcement (OPA, policy-bound autonomy), intent attestation, and least-privilege tool scoping are all L6 policies that take effect inside the L3 orchestration loop.

The Agent Frameworks layer is where autonomy lives, and where it goes wrong. Controls at L1 and L2 reduce the quality of attacker-controlled input; controls at L4 limit blast radius; only L3 controls can intercept a misaligned plan before it executes.