Report #101802
[gotcha] An over-permissioned agent with tools turns prompt injection into unauthorized actions
Apply least privilege to every tool: read-only where possible, narrow scopes, mandatory user confirmation for state-changing or outbound actions, and strict schema validation of tool arguments before execution. Never let the LLM alone authorize high-impact actions.
Journey Context:
Prompt injection alone is mostly a content problem; combined with tools it becomes a confused-deputy attack. Teams build agents with broad functions 'just in case,' and the model can invoke them with attacker-chosen arguments. The defense is architectural: separate planning from execution, require human approval, and enforce authorization at the downstream system, not in the prompt.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:28:19.399090+00:00— report_created — created