Ch 8 — Securing Agents & Tool Calling — Under the Hood

Excessive Agency, AgentXploit, STAC, WASM isolation, least privilege, HITL
Index← High Level
Under the Hood
-
Click play or press Space to begin. Click any node for deep-dive details...
Step- / 10
AExcessive Agency & Unsafe Tool ExecutionOWASP LLM06:2025 — too much power, too little control
1
smart_toy
Agent DecidesLLM chooses
which tool to call
terminal
exec() / eval()Unsafe code
execution pattern
2
admin_panel_settings
Over-PrivilegedFull DB access
admin credentials
warning
No ConfirmationDestructive actions
without HITL
3
arrow_downward Attack research: AgentXploit & STAC tool chaining
BAgent Attack ResearchAgentXploit, STAC (Sequential Tool Attack Chaining)
bug_report
AgentXploitAutomated agent
vulnerability scanner
4
link
STACSequential Tool
Attack Chaining
science
SandboxEscapeBenchBenchmark for
sandbox breakouts
5
arrow_downward Defense: sandboxing with WASM & containers
CSandboxing & IsolationWASM (WebAssembly), gVisor, Firecracker microVMs
deployed_code
WASM SandboxWebAssembly
memory isolation
6
dns
Container IsolationgVisor / Firecracker
per-tool sandboxes
timer
Resource LimitsCPU, memory, time
network restrictions
7
arrow_downward Least privilege & human-in-the-loop gates
DLeast Privilege & Human-in-the-LoopCapability-based access, approval gates for destructive actions
key
Least PrivilegeMinimal permissions
per tool
8
person_check
HITL GatesHuman approval
for risky actions
rule
Action PoliciesAllow/deny/confirm
per action type
9
arrow_downward Complete secure agent architecture
ESecure Agent ArchitectureEnd-to-end defense pipeline for agentic systems
monitoring
Audit LoggingEvery tool call
logged & traceable
10
layers
Defense StackFull secure
agent pipeline