Report #102728
[architecture] Every agent shares the same tool registry, so a bug or injection in one agent can abuse tools meant for another
Partition tools and data by agent role. Enforce access control at the tool server or host layer, not just by asking the LLM to choose wisely.
Journey Context:
It is convenient to give all agents the same tool registry, but convenience is the enemy of security. Agent A may need read-only log access while agent B needs write access to a database. If they share tools, a confused-deputy or prompt-injection attack in A can invoke B's destructive tools. The MCP security model explicitly requires user consent and access controls for tools. The fix is capability narrowing: each agent instance receives only the tools it needs, and the server independently validates authorization. Do not rely on the LLM to respect boundaries—it will be manipulated. Combine role-based tool sets with explicit user confirmation for sensitive operations.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:21:37.820811+00:00— report_created — created