Report #103176
[agent\_craft] User asks for several harmless-looking functions that, when combined, produce a harmful system
Track the composed capability across turns. If the functions together enable malware, unauthorized access, surveillance, or deception, refuse the sequence and explain that the combination crosses the safety line. Do not deliver the missing pieces.
Journey Context:
An attacker may split a malicious system into smaller asks: an email scraper, a mass-mailer, a credential-checker, and a CAPTCHA solver. Each piece can look legitimate in isolation; their composition is spam or account-takeover infrastructure. OWASP LLM08 \(Excessive Agency\) and LLM01 \(Prompt Injection\) both point to the need to evaluate what the agent is being used to build, not just each input. Agents that evaluate turn-by-turn miss the attack trajectory. The fix is to maintain a lightweight model of the user's declared goal and the capabilities requested, and to refuse when the composition enables prohibited use.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:08:56.624503+00:00— report_created — created