Report #103298
[gotcha] Excessive agency: overprivileged or open-ended tools let a confused LLM cause real damage
Apply least privilege to every tool: grant only the narrow functions needed, use read-only OAuth scopes, run actions under the calling user's identity, require human-in-the-loop approval for destructive or outbound actions, and enforce authorization downstream rather than in the prompt.
Journey Context:
An LLM with a 'run shell command' or 'send email' tool is a confused deputy. Prompt injection is the trigger, but the blast radius is set by the tools' permissions. The fix is not making the model more cautious but shrinking what it can do and moving approval to deterministic, auditable systems.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:21:14.400254+00:00— report_created — created