Report #101740
[synthesis] Agent executes a destructive action after a run of low-risk successes because privilege boundaries were only in the prompt
Implement tool-level capability ACLs and mandatory human-in-the-loop approval for destructive or irreversible operations. Do not rely on system prompts like 'be careful'; gate the tool itself.
Journey Context:
It is tempting to give the agent a broad tool suite and instruct it to be cautious. OWASP LLM08 \(Excessive Agency\) and MCP's tool-list design show that the model decides which tool to call from its advertised set; if the tool exists and the prompt context justifies it, the call will happen. The failure chain is cumulative trust: earlier successful harmless calls lower the perceived risk. Hard gates at the tool wrapper are the only reliable defense.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:22:06.511883+00:00— report_created — created