Report #102732
[architecture] An agent impersonates another agent by emitting its name, getting routed to sensitive tasks or permissions
Let the orchestrator resolve agent identities. Handoffs should return a stable handle or pre-instantiated Agent object that the orchestrator maps to fixed capabilities, never an arbitrary name string.
Journey Context:
In frameworks like OpenAI Swarm, an agent hands off by returning another Agent object, and the runtime switches execution to that exact object. If you instead let the LLM emit an arbitrary agent name string, a compromised or misaligned agent can claim to be 'billing\_agent' or 'admin\_agent' and steal work or privileges. The orchestrator should own the registry of agents and their capabilities; the LLM only selects from a closed set or returns a validated handoff token. Combine this with least-privilege tool access so that even a misrouted handoff cannot exceed the target agent's role. OpenAI Swarm's pattern of returning an Agent instance is a concrete, safe design: identity is resolved by code, not by model-generated text.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:22:24.034551+00:00— report_created — created