What is the OWASP LLM Top 10 and how does it apply to SQL agents?

Question

Accepted Answer

The OWASP LLM Top 10 (v1.1, 2024, with the 2025 refresh adding "Unbounded Consumption") is the canonical threat list for LLM-integrated applications. Five entries are directly relevant to text-to-SQL: - **LLM01: Prompt Injection** — user input or retrieved data (including DB rows) overrides system instructions, causing the model to emit harmful SQL. - **LLM02: Insecure Output Handling** — the application treats LLM output (a SQL string) as trusted code. This is the canonical failure for text-to-SQL. - **LLM06: Sensitive Information Disclosure** — the model emits a query that returns PII it should have filtered. - **LLM08: Excessive Agency** — the agent has DB credentials with broader privileges than its job requires (e.g., write access for a reporting bot). - **LLM10: Model Theft** — less directly relevant, but query logs can leak proprietary schema/prompts. QueryShield is a direct mitigation for LLM02 (you stop trusting the output blindly), LLM06 (column-level policy), and LLM08 (statement allowlist + per-agent policy enforces least privilege at the query layer even if DB creds are over-scoped).