Starter/example post — replace with your real content.
Tool-calling agents are a new, soft attack surface. If an agent reads untrusted content (a web page, a file, an email) and can also call tools, an attacker can smuggle instructions into that content and hijack the agent's actions.
What I test for
- Instruction override — untrusted text that says "ignore previous instructions".
- Data exfiltration — coaxing the agent to send data to an attacker endpoint.
- Tool abuse — tricking the agent into calling a destructive or sensitive tool.
Defenses that actually help
- Treat all tool output as untrusted data, never as instructions.
- Constrain tools with allow-lists and confirmation on side-effects.
- Separate the "planning" context from untrusted content.