Report #102624
[gotcha] Excessive agency turns prompt injection into real-world actions
Grant only the tools needed for the task, bind each tool to the end user's identity with the narrowest OAuth scope, require human approval for irreversible actions such as send, delete, or purchase, and sandbox dangerous tools.
Journey Context:
A read-only research agent that can also send email, or a coding agent with broad repo admin rights, is one injection away from phishing or supply-chain compromise. The confused-deputy pattern is central: the agent acts with service-account privileges the user does not have. The right design is least functionality plus least permission plus human-in-the-loop, not a single powerful agent that might need every capability.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:11:16.899373+00:00— report_created — created