Why Multi-Agent Communication in CrewAI Needs Authentication

We analyzed CrewAI's agent delegation system — the mechanism that lets agents hand off tasks to each other in hierarchical workflows — and identified a structural security gap: agent-to-agent messages carry no authentication.

This isn't an exploit. It's an architecture observation with a confidence score of 0.1. But in multi-agent systems processing sensitive data, unsigned delegation creates a real attack surface that the CrewAI team and the broader multi-agent community should address.

The CrewAI team has been collaborative — they accepted our security best practices documentation PR.

How CrewAI Delegation Works

CrewAI supports hierarchical crews where a manager agent delegates tasks to worker agents. When Agent A delegates to Agent B:

1. Agent A constructs a task description (often from LLM output)
2. The delegation system routes the task to Agent B
3. Agent B executes and returns results
4. Agent A incorporates the results

At no point in this flow does Agent B verify that the delegation actually came from Agent A, or that the task description wasn't modified in transit.

Why This Matters

In a single-machine, single-user setup, this is low risk. But multi-agent architectures are moving toward:

• Distributed execution across services and machines
• Shared memory where multiple agents read and write to common state
• Tool-mediated communication where agents interact through external services
• Multi-tenant deployments where crews from different users share infrastructure

In these scenarios, unsigned messages create three attack vectors:

1. Agent Impersonation (CWE-345)

Without message authentication, any component that can inject into the communication channel can impersonate the manager agent. A compromised tool, a prompt injection in shared memory, or a malicious MCP server could forge delegation instructions.

2. Task Tampering

Delegated tasks pass through the system as plain text. If an attacker can modify the task between Agent A sending it and Agent B receiving it, they control what Agent B does — with Agent B's full permissions.

3. Result Poisoning

Agent B's results flow back to Agent A unsigned. A man-in-the-middle could modify results before Agent A processes them, leading to incorrect decisions based on tampered data.

These map to OWASP LLM Top 10 #08 (Excessive Agency) and CWE-345 (Insufficient Verification of Data Authenticity).

The Scale of the Problem

This isn't unique to CrewAI. In our analysis of 577 AI agent repositories, we found unsigned inter-agent communication across every multi-agent framework we tested. CrewAI is simply the most popular (48,000+ GitHub stars) and the most transparent about its delegation architecture.

The pattern appears in:

• Hierarchical delegation (CrewAI, AutoGen)
• Agent-to-agent messaging (LangGraph multi-agent)
• Shared memory state (MemGPT, Letta)
• Tool-mediated handoffs (MCP-based architectures)

No major multi-agent framework currently implements message-level authentication between agents.

Recommended Mitigation: HMAC-Signed Messages

The fix is straightforward. Each agent gets a signing key, and every delegation includes an HMAC signature over the task content:

import hmac
import hashlib
import json
from dataclasses import dataclass

@dataclass
class SignedDelegation:
    task: str
    from_agent: str
    to_agent: str
    signature: str

def sign_delegation(task: str, from_agent: str, to_agent: str, key: bytes) -> SignedDelegation:
    payload = json.dumps({"task": task, "from": from_agent, "to": to_agent}, sort_keys=True)
    sig = hmac.new(key, payload.encode(), hashlib.sha256).hexdigest()
    return SignedDelegation(task=task, from_agent=from_agent, to_agent=to_agent, signature=sig)

def verify_delegation(delegation: SignedDelegation, key: bytes) -> bool:
    payload = json.dumps({
        "task": delegation.task,
        "from": delegation.from_agent,
        "to": delegation.to_agent,
    }, sort_keys=True)
    expected = hmac.new(key, payload.encode(), hashlib.sha256).hexdigest()
    return hmac.compare_digest(delegation.signature, expected)

This adds negligible overhead and prevents impersonation, tampering, and replay attacks. For distributed deployments, asymmetric signatures (Ed25519) would be more appropriate.

What CrewAI Can Do

1. Short term: Add an optional signed_delegation=True crew parameter that enables HMAC signing between agents. Opt-in preserves backwards compatibility.
2. Medium term: Implement a delegation audit log that records every agent-to-agent handoff with timestamps and task hashes.
3. Long term: Support pluggable authentication backends for enterprise deployments (mutual TLS, JWT, etc.).

We've already contributed security best practices documentation to the CrewAI repository covering this and other patterns.

How We Found This

This finding was detected by Inkog's Universal IR engine, which converts multi-agent frameworks to a framework-agnostic intermediate representation. The unsigned_messages detection pattern identifies agent communication channels that lack authentication primitives.

The pattern was flagged with confidence 0.1 — our lowest tier, indicating a structural observation rather than a proven exploit. We report it transparently because:

1. Multi-agent architectures are moving to production
2. Retrofitting authentication after deployment is harder than building it in
3. EU AI Act Article 15 (Accuracy, Robustness, and Cybersecurity) will require integrity controls

Scan Your Own Agents

Inkog is open source (Apache 2.0) and detects 18 vulnerability classes across 11 framework adapters:

brew install inkog-io/tap/inkog
inkog -path ./your-agent-code

The 577-repo benchmark report includes full methodology and per-framework findings.

GitHub | Documentation | Full Report