{"id":50411968,"url":"https://github.com/srkyn/ai-lms-security-case-study","last_synced_at":"2026-05-31T04:02:55.810Z","repository":{"id":356571973,"uuid":"1233136904","full_name":"srkyn/ai-lms-security-case-study","owner":"srkyn","description":"Authorized AI/LMS security assessment case study with private reporting, OWASP LLM-aligned controls, remediation guidance, and public-safe redaction boundaries.","archived":false,"fork":false,"pushed_at":"2026-05-31T01:27:13.000Z","size":29,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-31T03:13:08.857Z","etag":null,"topics":["ai-security","application-security","learning-management-system","llm-security","owasp-llm-top-10","responsible-disclosure","security-assessment"],"latest_commit_sha":null,"homepage":"https://srkyn.com/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/srkyn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-08T16:22:18.000Z","updated_at":"2026-05-31T01:27:16.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/srkyn/ai-lms-security-case-study","commit_stats":null,"previous_names":["srkyn/ai-lms-security-case-study"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/srkyn/ai-lms-security-case-study","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fai-lms-security-case-study","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fai-lms-security-case-study/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fai-lms-security-case-study/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fai-lms-security-case-study/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/srkyn","download_url":"https://codeload.github.com/srkyn/ai-lms-security-case-study/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fai-lms-security-case-study/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33718449,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","application-security","learning-management-system","llm-security","owasp-llm-top-10","responsible-disclosure","security-assessment"],"created_at":"2026-05-31T04:02:55.493Z","updated_at":"2026-05-31T04:02:55.751Z","avatar_url":"https://github.com/srkyn.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# AI/LMS Security Assessment Case Study\n\nPublic-safe case study from an authorized assessment of an AI assistant embedded\nin a learning-management environment.\n\nThe private deliverable was a 24-page confidential report produced in May 2026.\nIt documented 16 validated findings from a standard-user session and translated\nthe evidence into remediation guidance. The confidential report stays private.\nThis repository keeps only the reusable parts: scope, control questions, finding\ncategories, remediation patterns, narrative lessons, and redaction discipline.\n\n![Assessment summary](docs/assets/ai-lms-assessment-summary.svg)\n\n## What This Shows\n\n- How I scoped an AI/LMS assessment\n- Which control areas I tested\n- How findings were translated into remediation\n- How portfolio evidence can be shared without exposing private systems\n- How to show meaningful assessment work while respecting disclosure boundaries\n\n## The Short Version\n\nThe interesting part was not one dramatic bug. It was the combination: an AI\nassistant with tools, memory, document retrieval, LMS context, user-editable\nbehavior, and permissive defaults.\n\nIndividually, each issue was fixable. Together, they created a path where a\nnormal user could influence assistant behavior, expose internal details, and\npotentially move AI-visible data outside the trusted environment.\n\nThat is the real lesson: AI security is not just prompt filtering. It is tool\npermissions, default settings, data boundaries, auditability, memory isolation,\ndocument ingestion, and the boring-but-vital question:\n\n\u003e What can this assistant touch when a normal user gets clever?\n\n## Assessment Areas\n\n| Area | Review Question |\n|---|---|\n| Tool access | Can the assistant call external services, platform APIs, or messaging tools beyond the user's expectation? |\n| Instruction hierarchy | Can user-editable instructions weaken system or platform controls? |\n| Safety configuration | Are guardrails admin-owned, default-on, and hard to bypass from a normal session? |\n| LMS context | What user, role, course, and document data enters the AI session automatically? |\n| Retrieval | Are knowledge sources scoped by owner, course, role, and document sensitivity? |\n| Memory | Can prior session content or uploaded material cross boundaries? |\n| Messaging | Can the assistant send trusted communications without review? |\n\n## Sanitized Findings\n\n| Area | Risk Pattern | Primary Fix |\n|---|---|---|\n| External tools | Outbound requests could include sensitive session context | Restrict destinations, methods, and data classes; require user approval |\n| Instruction control | User-authored instructions could steer behavior beyond intended scope | Keep user instructions below platform and system controls |\n| Safety settings | Protective controls were exposed or weakly enforced | Make safety settings admin-owned and regression tested |\n| Self-disclosure | Assistant responses could reveal internal behavior and attack paths | Reduce unnecessary introspection and test for disclosure patterns |\n| LMS integration | Platform context was broader than needed for the task | Minimize injected context and enforce role-aware scopes |\n| Shared knowledge | Retrieval boundaries could expose inappropriate documents | Add document-level ownership and course-section scoping |\n| Messaging tools | Trusted-session messages could be abused | Require review before sending from a platform identity |\n\n## Recommended Controls\n\n- Allowlist external tools by domain, method, and approved data type.\n- Require visible user approval when requests include session or LMS context.\n- Log tool calls with actor, destination, method, time, and sanitized metadata.\n- Keep user-authored instructions below system and platform instructions.\n- Make safety controls admin-owned, default-on, and covered by regression tests.\n- Scope LMS retrieval by owner, course, role, section, and document sensitivity.\n- Review generated messages before sending from a trusted identity.\n\n## Private Report Structure\n\nThe private report followed a formal assessment format:\n\n- executive summary and risk summary\n- scope, authorization context, and methodology\n- target reconnaissance from a standard-user session\n- detailed findings with severity, evidence, impact, and remediation guidance\n- attack-chain narrative showing how multiple control weaknesses could combine\n- screenshot evidence index for private remediation teams\n- assessor declaration and disclosure boundary\n\nThe public repository does not include exploit strings, screenshots, target URLs,\nstudent data, internal hostnames, API paths, tokens, headers, or reproduction\nsteps.\n\n## Finding Themes\n\n| ID | Theme | Severity |\n|---|---|---|\n| F-01 | Unrestricted outbound requests from AI tools | Critical |\n| F-02 | User-editable high-priority instructions | Critical |\n| F-03 | Safety/context bypass exposed in assistant settings | Critical |\n| F-04 | Assistant disclosed its own attack surface | Critical |\n| F-05 | LMS API calls attempted from assistant tooling | High |\n| F-06 | Cloud command proxy behavior indicated by tool errors | High |\n| F-07 | Broad tool access enabled by default | High |\n| F-08 | External response content influenced chat context | High |\n| F-09 | User context auto-injected into AI sessions | Medium |\n| F-10 | Persistent memory checked automatically | Medium |\n| F-11 | Uploaded and fetched documents entered AI context | Medium |\n| F-12 | Lab-style framing produced risky command guidance | Medium |\n| F-13 | Platform and architecture details disclosed | Informational |\n| F-14 | Internal prompt/configuration details exposed | Critical |\n| F-15 | Email tool presented phishing/impersonation risk | High |\n| F-16 | Personal documents appeared in shared knowledge base | High |\n\n## Public Boundary\n\nPublished:\n\n- Assessment workflow\n- Control matrix\n- Redacted narrative report\n- Remediation playbook\n- Redaction standard\n- Sanitized report template\n- LinkedIn-ready project copy\n\nWithheld:\n\n- Confidential report and evidence\n- Target URLs, tenant IDs, course IDs, and organization names\n- Exploit prompts, payloads, screenshots, tokens, headers, and internal endpoints\n- Student, staff, document, message, or academic-record data\n\n## Documents\n\n- [Redacted narrative report](docs/redacted-report.md)\n- [Remediation playbook](docs/remediation-playbook.md)\n- [Assessment workflow](docs/assessment-workflow.md)\n- [Control matrix](docs/control-matrix.md)\n- [Public redaction standard](docs/redaction-standard.md)\n- [Redaction notes](docs/redaction-notes.md)\n- [Sanitized report template](docs/report-template.md)\n- [LinkedIn project copy](LINKEDIN.md)\n\nThe underlying assessment was authorized and reported privately. This version is\nfor portfolio review and does not provide reproduction steps.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrkyn%2Fai-lms-security-case-study","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsrkyn%2Fai-lms-security-case-study","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrkyn%2Fai-lms-security-case-study/lists"}