Once an agent can act — delete files, run shell commands, call external APIs, spend money — its mistakes (or a malicious prompt) become real-world consequences. The defense is least privilege plus approval gates plus isolation: give it only what it needs, require confirmation for anything irreversible, and run it where it can't do lasting harm.
- DESTRUCTIVE actions → rm -rf, DROP TABLE, force-push → irreversible data loss
- ARBITRARY shell → run anything → privilege escalation, exfiltration
- EXTERNAL APIs/$$ → send emails, place orders, spend on cloud/LLM tokens
- SECRET exposure → leak API keys / .env / tokens into logs or outbound calls
- PROMPT INJECTION → untrusted input (a web page, an issue) hijacks the agent
Prompt injection is the sharpest edge: content the agent reads can contain instructions, so any tool the agent can call is reachable by an attacker who controls that content.
- LEAST PRIVILEGE / ALLOWLIST → only pre-approved commands & paths; deny by default
- APPROVAL FOR DESTRUCTIVE → human confirms deletes, payments, prod writes
- SANDBOX / DRY-RUN → preview the action; isolated container, no prod creds
- ISOLATED ENVIRONMENT → ephemeral VM/branch; blast radius = throwaway box
- AUDIT LOGS → record every tool call + args for review
- NO SECRETS IN CONTEXT → inject via env at runtime; never paste keys into prompts
- NETWORK LIMITS → egress allowlist; block arbitrary outbound requests
# Conceptual permission policy
tools:
read_file: { allow: true } # safe, reversible
run_shell: { allow: ["npm test", "git status"] } # allowlist only
delete_file: { allow: "ask" } # human approval required
send_email: { allow: "ask", sandbox: true } # dry-run first, then confirm
network:
egress: ["api.github.com"] # everything else blocked
The pattern is graduated trust: read is free, reversible writes are cheap, irreversible or external actions demand confirmation, and money or production demands isolation plus a human in the loop.
The value of agents comes from letting them act, but action is exactly where a confident mistake or a hijacked prompt turns into deleted data, a leaked key, or a real charge. Designing permissions as least-privilege allowlists, gating irreversible actions behind human approval, running in sandboxes with audit logs, and keeping secrets and network egress tightly scoped lets you get the leverage of autonomy without betting production on the model being right every time.