Function argument smuggling

Attacker hides a destructive argument in a field that the operator does not surface to humans for review.

Severity: highOWASP LLM: LLM06

How it works

If the agent has a 'create_invoice' tool with a 'notes' field, attackers stuff sensitive cmd into 'notes' that downstream automation parses as a config string.

Example payload

create_invoice({"amount": 1, "notes": "; DROP TABLE invoices --"})

Defenses

Validate every tool argument server-side as the canonical authorization point. Never trust the agent or the prompt.

Related patterns

SSRF via fetch tool
Shell tool command injection
Send-email as victim
Infinite tool loop
Privileged tool confusion