Insecure Inter-Agent Channel

also known as Insecure Inter-Agent Communication, ASI07, A2A Channel Forgery

Anti-pattern: pass messages between agents on shared transports without authenticating the sending agent, the message content, or the sequence.

Context

Two or more agents communicate via A2A, MCP, message bus, pub/sub, or shared blackboard. The transport may be TLS-secured at the network layer, but the agent-to-agent message content has no authentication tag — agents trust whatever messages they read from the channel.

Problem

An attacker with channel access (compromised peer, network position, replay window) can spoof messages from one agent to another, replay old messages, or forge inter-agent commands. The downstream agent acts on the message as if it came from a trusted peer. Even a benign-looking transport-layer encryption does not solve this — TLS authenticates the connection, not the semantic content.

Forces

Multi-agent systems require fast, flexible inter-agent messaging; per-message signing adds latency.
Standard transport security (TLS, mTLS) authenticates the channel but not the message-level intent.
Replay attacks are easy when messages are not nonce-bound.

Example

A multi-agent system has a finance agent that confirms transactions on a peer's request. An attacker with read access to the message bus captures a confirmation request from a legitimate procurement agent, modifies the amount and beneficiary, and replays it. The finance agent has no message signature, sees a well-formed request from procurement's claimed identity, and confirms. Postmortem: TLS protected the channel; nothing protected the message content.

Diagram

flowchart TD Trigger[Message reads as 'from peer X', not actually signed by X] --> Bad{Recognise as anti-pattern?} Bad -- no --> Harm[Harm propagates] Bad -- yes --> Mitigate[Apply mitigation pattern] Mitigate --> Safe[Risk bounded] classDef bad fill:#fee,stroke:#c33; class Trigger,Harm bad;

Solution

Therefore:

Don't trust transport security as message authentication. Sign messages at the agent-identity layer with per-agent keys. Include nonce and timestamp to defeat replay. Validate sender identity on receive. Apply rate-limiting and anomaly detection on inter-agent message volume.

What this pattern forbids. No useful constraint; the missing constraint is message-level authentication.

And the patterns that stand alongside it, or against it —

complementsCascading Agent Failures✕— Anti-pattern: build a multi-agent system where one agent's failure or hallucination propagates as input to peers, until the whole system has drifted.
complementsAgent Privilege Escalation✕— Anti-pattern: let an agent's effective permissions be the union of its own identity, the identities of its tools, and the identities of the services those tools call.

Neighbourhood

Click any neighbour to follow the language. Scroll to zoom, drag to pan.

References

Provenance

Source: patterns/insecure-inter-agent-channel.md on GitHub · commit 159e600 · view history
Added to catalog: 2026-05-21
Last updated: 2026-05-21
Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.