The Security Review
Salesforce reviews agent code and configuration for vulnerabilities before listing on AgentExchange. The review applies the OWASP LLM Top 10 (with emphasis on LLM01 Prompt Injection, LLM06 Sensitive Information Disclosure, and LLM08 Excessive Agency), data access scopes, prompt-injection defenses, authentication and secrets handling, logging, and audit readiness. The reviewer toolkit overlaps the AppExchange Security Review (Checkmarx, Chimera, manual review) but adds agent-specific probes: jailbreak prompts, instruction override attempts, indirect injection via tool outputs, and data exfiltration through structured-output abuse.
Submission package required:
- Agent metadata XML (Topics, Actions, Instructions)
- Apex source for custom Actions (no managed-package obfuscation that hides flow control)
- Connected App + Permission Set definitions
- Threat model document (STRIDE or equivalent)
- Eval set with adversarial cases and expected refusalsData Access Scopes
Agents declare which CRM data they read and write. Principle of least privilege is enforced — overly-broad access requests prompt mandatory scope reduction before certification. Customers see declared scopes before activation, and the scope is rendered as a human-readable consent screen, not buried in a settings page. Two common rejection patterns: requesting View All on a standard object when a sharing-rule-driven scope would suffice, and writing to fields the agent never reads (a sign of unaudited code paths).
Compliance Posture
For regulated-industry agents, additional review applies: HIPAA handling for Health Cloud, FINRA and SEC 17a-4 retention for Financial Services Cloud, GDPR/EU AI Act provisions for any agent serving EU data subjects, and CJIS for public-sector agents touching law-enforcement data. Certifications cascade: platform certification plus regulatory-specific validation. Expect to provide a Data Processing Agreement, a sub-processor list (every model vendor your agent calls), and evidence that PII is redacted before leaving the trust boundary.
Prompt Injection Defenses
Reviewers test indirect injection through every untrusted input: email body, web-scraped content, file uploads, and tool responses. Pass criteria include allow-listed Action invocations, structured outputs validated against a schema, refusal of out-of-scope instructions, and no echo of system prompt content. The reference defense is the Einstein Trust Layer plus an Action-side guard:
@InvocableMethod(label='Update Account Owner')
public static List<Result> run(List<Input> inputs) {
for (Input i : inputs) {
if (!FeatureManagement.checkPermission('Agent_Can_Reassign')) {
throw new SecurityException('Action not permitted for caller');
}
}
// ...
}ISV Timeline
Budget 2–4 weeks for initial security review on a well-prepared agent. Longer for complex or novel architectures or any agent that calls external models outside the Trust Layer. Remediation cycles add 1–3 weeks each if issues surface. Don’t submit for certification with known gaps; reviewers will find them, and a fail-then-fix cycle costs more than a delayed first submission.
What to Do This Week
Run the OWASP LLM Top 10 checklist against your agent before submission and document a refusal test case for every Action you expose.
