Tool Abuse
Attacks that misuse the tools or function calls available to an LLM agent, often turning them into a privilege-escalation primitive.
SSRF via fetch tool
An LLM agent with a fetch_url tool is convinced to fetch internal-only endpoints, exposing cloud metadata or admin services.
Shell tool command injection
Agent has a run_shell tool. User supplies a value that is interpolated into a shell string without escaping.
Send-email as victim
Agent has a send_email tool authenticated as the user. Attacker convinces the agent to send a phishing email from the user's account.
Function argument smuggling
Attacker hides a destructive argument in a field that the operator does not surface to humans for review.
Infinite tool loop
Attacker drives the agent into an unbounded tool loop, draining LLM and external API budgets.
Privileged tool confusion
Agent has tools at multiple privilege levels. Attacker tricks it into using the privileged variant for an action that should use the read-only one.
Tool result mutation
The agent rewrites tool results before showing them to the user, hiding evidence of attacker actions.
Credential leak via error message
Tool errors include raw secrets that the agent then surfaces verbatim to the user.
Race condition in tool orchestration
Concurrent tool calls allow the attacker to bypass a check that runs before, but completes after, the destructive call.
Tool schema poisoning
Attacker controls the tool description (e.g., via a third-party plugin). The description contains hidden directives that bias agent behavior.