Hardening Tool-Using Agents with Capability Control and Sandboxing

If model output can directly cause a side effect, every prompt-injection becomes an authorized action. The planner must propose; a deterministic runtime must decide.

Route every tool call, memory write, and external send through a broker and policy engine. No SDK, plugin, or function-calling path may reach a sink without traversing it. Reject "tool dispatcher" libraries that bypass the broker for latency.

A code search shows zero call sites that invoke a tool client outside the broker. A negative fixture that attempts a direct dispatch fails closed.

Inherited credentials and sockets are the most common path from a benign-looking tool call to host or cloud compromise. Ambient authority means the agent acts with whatever the surrounding process already had — exactly what an injected instruction will exploit.

Build the agent base image with no inherited host env, no home-dir mount, no Docker or SSH agent socket, no shared browser cookies, and no developer cloud credentials. Start from deny and grant per-task.

A process-inspection script run against a live agent container shows an empty environment except for explicitly granted variables, and no sensitive sockets are present.

Long-lived tokens issued to agents are blast-radius multipliers. Downstream-native scope is what an attacker actually has to defeat.

Use GitHub fine-grained tokens, IAM session policies, database views, and object-store signed URLs where the downstream service supports them. Where it doesn't, emulate scope at the broker. TTLs measured in minutes, not hours.

Token issuance logs show TTLs within policy and per-call audit references the originating task ID. Replay of an expired capability is denied.

Silent descriptor changes have been the entry point for several disclosed MCP supply-chain incidents. A new verb in a server you already trust is a new privilege.

Track every server, version, content hash, owner, and granted scope in a registry. Block startup on hash drift. Semantic-diff added verbs (send, delete, execute, publish) and require human approval before exposing them to planners.

A registry diff runs in CI; an unapproved descriptor change fails the build. Production agents refuse to load an unpinned server.

Schema-valid JSON can still exceed what the current task is authorized to do. Argument validation against the live capability — not just the static tool definition — is what stops a hijacked planner.

At the broker, evaluate each argument against the task's authorization envelope: allowed tools, allowed destinations, data classes, side-effect ceiling. Deny on mismatch and log the decision.

Deny-fixture tests cover argument values that are valid by schema but out of scope for the test task; all return policy-deny with a structured reason.

Descriptors are model-readable text and have been used to smuggle instructions into the planner context.

Strip invisible Unicode, instruction-like phrasing, and embedded markdown links from descriptions. Render an admin-reviewed summary in the planner prompt, not the upstream description verbatim.

A diff between the source manifest and the rendered descriptor shows the sanitization applied. A canary descriptor containing instruction-like content does not reach the planner unmodified.

Local MCP servers run as full-privilege child processes by default. Multiple disclosed advisories chain a poisoned input through a local server into command execution against the host.

Launch each stdio server with no inherited env, a read-only project mount, a separate scratch volume, no home directory, no SSH/Docker/cloud sockets, and network disabled unless explicitly granted. Pin the package by hash.

A launch-profile audit shows every stdio server matches the hardened profile. A sandbox-escape fixture fails to read host secrets or open outbound connections.

Without labels, the broker cannot tell a confidential record from a public one or a trusted instruction from a webpage scraped five tool calls ago. Labels are the substrate that makes information-flow control enforceable.

Tag tool results at the broker boundary with confidentiality class, integrity (trust) level, origin (which source produced this token range), purpose, and lifetime. Propagate labels through planner context and into argument provenance.

Tool-result envelopes in the audit log carry all five fields. A query joining label propagation across a multi-step task reconstructs origin for every argument.

This is the load-bearing IFC rule. If untrusted-external taint can flow into the arguments of a code-execution, external-send, or admin-mutate tool, an indirect injection becomes an authorized action regardless of how the planner was trained.

Classify a fixed set of high-impact sinks. Reject (or escalate to human approval) any call where any argument carries an untrusted-external taint. Do not allow the model to "explain away" the taint.

Adversarial fixtures that route untrusted content into a high-impact argument all return deny or approval-required. A regression suite covers the disclosed MCP exploit classes by pattern, not by payload.

Quiet declassification is how data exfiltration looks normal in retrospect. Every confidential-to-external transition deserves a logged decision.

When a confidential label must leave its zone, require a declassification record with approver, purpose, recipient, granularity, and expiration. Treat absence of a record as deny.

The declassification log can be queried by recipient and purpose; every external write of confidential-class data has a matching record.

Generated code is the highest-blast-radius artifact an agent produces. A container-only boundary is insufficient against a determined sandbox-escape attempt.

Run code in gVisor, Firecracker microVMs, or an equivalent kernel-isolating runtime. Ephemeral, read-only input mount, separate writable scratch, no default network, no host secrets in env, hard CPU/memory/process/disk/wall-clock limits, deterministic teardown.

Sandbox-escape regression tests covering filesystem, network, and credential exfiltration vectors all fail to escape. Resource-limit fixtures kill runaway jobs within bound.

Where a kernel-isolating runtime is not yet deployed, the container profile is the only thing between an injection and the host.

Apply a tight seccomp profile, AppArmor or SELinux policy, user namespaces, dropped capabilities, read-only root, no Docker socket, and restricted egress. No privileged flag, ever.

A profile linter compares the running container against the policy and fails on drift. The Docker socket is not present in any agent workload.

Shared browser state is ambient authority by another name. Cookies and saved logins from one task become tools for an attacker on the next.

Fresh profile per task, no default cookies, origin allowlists, download quarantine, upload restrictions, separate observe and act phases, and form-submit confirmation on sensitive domains.

Per-task lifecycle logs show profile creation and teardown. A second task launched on the same worker has no access to the first task's session.

Memory is a delayed-action injection channel. Content read from an untrusted source today can steer a privileged workflow tomorrow.

Label memory entries with origin and integrity. Stage entries derived from untrusted content in a quarantine area; privileged workflows cannot read staged memories until human review or deterministic extraction.

Memory provenance fields are populated for every entry. A privileged-workflow fixture that attempts to read a staged memory is denied.

Cross-tenant retrieval is the worst-case outcome of a misconfigured RAG layer and has been the root cause of multiple disclosed agent data-exposure incidents.

Enforce retrieval ACLs at the index layer, not the prompt layer. Partition by tenant and user; scope retrieval by workflow. Set expirations on persistent entries.

Retrieval-ACL fixtures attempting cross-tenant and cross-user reads return empty. An expired entry is unreachable.

Exfiltration channels are creative — image URLs, DNS, package names, commit messages, file names, and browser navigation have all been used in disclosed agent attacks. Email and chat are not the only sinks.

Define the full sink set. Apply destination allowlists and information-flow checks uniformly. Scan content for secrets and PII before release. Treat side-channel surfaces (URLs the model constructs, names it chooses) as sinks too.

Sink-policy fixtures cover each channel and fail closed on disallowed destinations. A canary secret introduced into context does not appear in any external write.

Approval fatigue kills the control. Approvers must see the calls that matter and have the context to decide.

Trigger approval on cross-trust-zone moves, durable mutation, code execution, external send, money movement, and privilege escalation. Show the approver the arguments, data origins, capability grant, and downstream effect — not just the tool name.

An approval-coverage report shows every risk-transition call routed through approval and routine calls auto-allowed. Approver UI screenshots include provenance.

When something goes wrong, incident response needs to distinguish a model mistake from an injection-driven flow. Without provenance, every incident becomes "the model did a bad thing" and root cause is unrecoverable.

For every action, record source data origins, capability grant, policy decision, sink destination, approver (if any), sandbox ID, and a redacted content hash. Make the schema queryable end-to-end.

A representative trajectory — user request through tool calls to external write — can be reconstructed from logs alone, including which upstream tokens influenced which arguments.

Static fixtures decay. Published benchmarks (AgentDojo, InjecAgent and successors) report attack success rates against frontier models high enough that prompt-level hardening alone is empirically inadequate.

Maintain a scenario set that exercises indirect-injection patterns and the disclosed MCP exploit classes. Run on every broker or policy change. Treat monitor outputs as advisory; the gating signal is whether deterministic controls held.

The scenario set has documented pass/fail thresholds. A failing scenario blocks merge to the broker or policy engine.