Report #103238
[architecture] Every agent has access to every tool, so one compromised agent escalates privileges across the system
Give each agent a minimal, explicit tool allow-list tied to its role, and require capability tokens or signed requests for sensitive tools. A tool registry should reject calls from agents that were not explicitly granted the capability, even if the call is internally routed.
Journey Context:
It is convenient to expose all tools to all agents and let the orchestrator decide. The risk is that a single agent with a confused objective or injection vulnerability can invoke high-impact tools meant for another agent. Role-based tool scoping contains the blast radius. The tradeoff is more configuration, but the alternative is a flat trust model that violates least privilege. This is especially important when agents are contributed by different teams or models.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:15:08.630353+00:00— report_created — created