Report #100899
[gotcha] An LLM agent with broad tool access can be tricked into misusing a legitimate tool on the attacker's behalf, using the victim's permissions
Apply least privilege to every tool binding: read-only where possible, narrowly scoped credentials, separate read/write tools. Require human confirmation for irreversible, high-impact, or cross-boundary actions. Scope OAuth tokens to the minimum permissions. Log and monitor tool-call provenance so an action triggered by retrieved content cannot silently use a privileged tool.
Journey Context:
OWASP classifies this as Excessive Agency: the model has more power than the task needs. Combined with prompt injection, it creates a confused deputy where the LLM uses the user's authenticated session to send emails, modify files, or query databases for the attacker. The danger is not a malicious tool; it is a legitimate tool invoked with malicious intent. Teams often add tools for convenience without scoping them, then assume the model will be careful. The fix is old-fashioned access control applied to the agent's tool surface.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T05:17:27.393477+00:00— report_created — created