Report #101691
[agent\_craft] Any function or tool the model can emit is reachable from any user request, including low-privilege or untrusted ones
Gate tool execution by privilege level and intent classification: read-only tools can be broadly available, write/delete/execute/network tools require explicit human confirmation, and administrative tools require additional auth. Never let the LLM directly invoke privileged operations.
Journey Context:
OWASP LLM08 covers excessive agency. In coding agents, the model writes code that may call APIs, run shell commands, or modify files. If every generated output can trigger any tool, a jailbreak or prompt injection becomes remote code execution. The fix is not to remove tools but to add authorization layers between the LLM's text output and the action, similar to how sudo requires explicit elevation. This prevents the model's reasoning process from becoming a privilege-escalation path.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:17:08.251020+00:00— report_created — created