AI Agent Security Needs to Move to the Tool-Call Boundary

AI agents are becoming useful for the same reason they are becoming risky: they can act. They can browse websites, read files, call APIs, search repositories, invoke MCP servers, use skill files, modify documents, and trigger workflows across external systems. That makes them very different from older chatbot deployments, where most risk stayed inside the response text.

Once an agent can take action, prompt injection stops being a model-output problem and becomes an execution-control problem. A malicious instruction hidden in a webpage, document, tool result, MCP response, or skill file can influence what the agent does next. The attacker does not need to control the user’s prompt. The attacker only needs to control something the agent reads.

That is the structural weakness behind indirect prompt injection. Tool-augmented agents often append tool outputs directly into the conversation history as observations, then ask the model to reason over that expanded context. If the returned content contains hostile instructions, the model may treat those instructions as part of the task. The ClawGuard research frames this as a tool-call boundary problem: each proposed action needs to be checked before it reaches the real environment.

That framing is valuable for enterprise security teams. It moves the focus away from hoping the model refuses the wrong instruction and places the control where damage actually occurs: before a file is read, before data is sent, before a command runs, before an external endpoint receives traffic, and before a tool invocation changes state.


Alignment Alone Is Too Soft for Agentic Workflows

Model alignment can reduce obvious misuse, but it is a weak primary control for tool-connected agents. The model is interpreting a mixed stream of user intent, system guidance, retrieved content, tool returns, and prior observations. That context is messy by design. Agents are built to absorb external information and act on it.

This creates a recurring problem: the model must distinguish data from instruction in situations where both are represented as natural language. A webpage can contain a legitimate paragraph and a hidden command. A document can contain business content and an adversarial instruction. An MCP server can return useful tool output mixed with manipulation. A skill file can contain both valid operational guidance and attacker-controlled behavior.

OWASP describes prompt injection as crafted input that changes model behavior in unintended ways, including inputs that may not be visible to humans but are still parsed by the model. OWASP also calls out indirect prompt injection through external sources such as websites and files, with possible outcomes that include sensitive data disclosure, unauthorized access, arbitrary command execution, and manipulated decision-making.

That maps cleanly to agent risk. The prompt is no longer just what the user typed. The prompt is the agent’s full working context, including anything its tools return. If a security control only asks whether the model “should” obey the injected instruction, it is arriving too late and relying on a probabilistic judgment.

A safer design asks a different question: is the next tool call allowed under the user’s original task?


The Tool-Call Boundary Is Where Intent Becomes Action

The tool-call boundary is the point where the agent moves from reasoning to doing. Before that point, the model may be reading, planning, summarizing, or selecting a next step. After that point, the system may access a local file, contact a domain, execute code, send data, install a package, write a record, or trigger an external service.

That boundary is easier to govern than the model’s full internal reasoning. Security teams do not need to solve every ambiguity in natural language to block a bad action. They need to evaluate concrete attributes of a proposed tool call: tool name, command string, file path, target domain, request payload, credential material, write destination, and expected data movement.

This is the idea behind a runtime guard for agent activity. Instead of trusting every proposed action, the system places an enforcement layer between the model and the environment. The layer checks whether the action fits the active policy. If it clearly fits, it proceeds. If it violates policy, it is blocked. If it is ambiguous, it can be queued for explicit approval and logged.

This approach changes the security model. A malicious webpage may still persuade the model to propose a dangerous command. The command still fails if the runtime policy blocks shell execution, credential file access, unapproved outbound domains, or destructive operations.

The agent may be manipulable at the reasoning layer, but its actions become constrained at the execution layer.


The Three Injection Paths Security Teams Need to Watch

The same pattern appears across three major agent attack surfaces: external content, MCP servers, and skill files.

External content injection is the most familiar. An agent retrieves a webpage, search result, PDF, internal document, or local file. The content includes hidden or direct instructions telling the model to ignore prior guidance, extract data, call another tool, or send information elsewhere. Since the content arrives as a tool result, the agent may process it as trusted context.

MCP server injection expands that risk into the agent integration layer. MCP servers expose tools and return structured responses, but a malicious or compromised server can embed instructions in returned content. It can also poison tool metadata before the first tool call, steering tool selection or parameter use from inside the client’s discovery process. The official MCP security guidance lists attack areas such as confused deputy patterns, token passthrough, SSRF, local server compromise, OAuth validation issues, and scope minimization concerns, which shows how broad the MCP trust boundary has become.

Skill file injection is different but just as dangerous. Skills are reusable capability modules that may include behavioral guidance, scripts, tool instructions, and configuration. Since skills are meant to tell the agent how to behave, malicious additions can blend into legitimate guidance. A poisoned skill does not have to look like an obvious attack. It can quietly redirect behavior inside a capability the user meant to enable.

These paths share the same core issue. The agent absorbs untrusted content into its working context, then proposes actions based on that context. A runtime defense has to assume that some observations are hostile and still keep tool execution inside the user’s intended scope.


Task Scope Should Be Defined Before the Agent Reads the Outside World

One of the strongest ideas in the ClawGuard design is pre-session rule creation. Before any external tool is invoked, the agent derives a rule set from the user’s stated objective. That timing matters. The user’s original task is still clean. The agent has not yet retrieved a poisoned webpage, loaded a malicious server response, or parsed a contaminated skill file.

A task such as “summarize the latest posts from this site and save the result in this folder” has a fairly narrow security shape. It may need web access to one domain, read access to returned content, and write access to one report path. It does not need access to SSH keys, browser profiles, cloud credential files, package installation, shell pipelines, private network ranges, paste sites, tunneling services, or unlisted external domains.

A runtime policy can capture that distinction. The baseline rules deny known dangerous categories such as credential stores, irreversible filesystem operations, reverse shells, privilege changes, agent self-modification, suspicious exfiltration endpoints, and obfuscated command patterns. Task-specific rules then add the narrow set of domains, paths, and tools required for the user’s request. In the ClawGuard design, task-specific entries cannot override fixed safety rules.

This is closer to least privilege than ordinary agent approval prompts. The agent does not receive broad authority and then rely on the user to catch abuse. It receives a scoped operating envelope before untrusted content reaches the model.


Blocking the Action Is Better Than Parsing Every Injection

Indirect prompt injection is hard to detect at the content layer. Attackers can use obfuscation, paraphrasing, multi-step instruction splitting, encoding, roleplay, hidden text, formatting tricks, or context-dependent wording. Some payloads are obvious, such as “ignore previous instructions.” Others may be embedded inside normal-looking task guidance.

Trying to classify every tool result as safe or unsafe becomes brittle. A long webpage, skill file, or MCP response may contain thousands of tokens. The hostile instruction may be subtle. The model may assemble the unsafe behavior across multiple steps.

The action boundary offers a cleaner point of control. A security layer does not need to fully understand why the model wants to run a command like reading a private key and sending it to an external domain. It only needs to see that the proposed action violates policy.

The ClawGuard case study uses that exact pattern. A legitimate web-summary task retrieves a page containing injected commands to read an SSH private key, exfiltrate it through curl, and remove the SSH directory. The runtime check blocks the resulting exec call, rejects the credential file path, logs the denial, and still lets the legitimate report write proceed.

That is the practical value of boundary enforcement. It does not require perfect model judgment. It limits the model’s ability to turn hostile context into real-world effects.


Sanitization Reduces What the Model Can Carry Forward

Runtime authorization controls whether an action can execute, but agents also need data hygiene. Sensitive values can leak through tool arguments, tool returns, conversation memory, logs, generated content, and follow-on requests.

A content sanitizer can reduce that risk by redacting high-value secrets before they move through the agent pipeline. That includes cloud credentials, version control tokens, CI/CD tokens, Slack tokens, webhook URLs, JWTs, bearer tokens, payment keys, SSH material, database URLs, Redis URLs, passwords, and generic API keys. The ClawGuard paper lists a default pattern library covering many of these categories.

This type of control is not a complete data-loss-prevention program, but it gives agent systems a practical starting point. If a tool return includes a credential, the agent should not blindly append it into future reasoning. If a proposed tool call includes a secret in an outbound payload, the runtime should redact or block it before execution.

The goal is to break the chain between accidental exposure and automatic reuse. Agents tend to carry context forward. Sanitization stops sensitive content from becoming reusable context for later tool calls.


Skills Need Inspection Before First Use

Skill files create a different control problem. They are supposed to be directive, so the presence of instructions is not suspicious by itself. A useful skill might tell the agent how to search repositories, format reports, generate code, or interact with a service. A malicious skill can hide inside that same structure.

That is why skill inspection should happen before first execution. The system should analyze the skill’s content, scripts, tool dependencies, file access, network behavior, and stated purpose. Then the user or operator should confirm whether the skill belongs in the environment. If the skill changes later, it should be treated as a new artifact and inspected again.

This is analogous to reviewing a browser extension, CI/CD plugin, or automation script. A skill is not just text. It is an instruction package that changes how the agent behaves. In a mature enterprise deployment, skills need ownership, versioning, approval, and removal paths.

Unmanaged skill ecosystems create a supply chain issue for agents. A team may trust the agent platform but overlook the public skill repository feeding it behavior.


Results Point to a Clear Pattern, Not a Silver Bullet

The ClawGuard evaluation is useful since it tests runtime enforcement across multiple benchmarks and model backbones. Across AgentDojo, SkillInject, and MCPSafeBench, the basic-rule configuration reduced attack success compared with unprotected baselines. On AgentDojo, attack success reached 0% across the tested models. On MCPSafeBench, baseline attack success ranged from 36.5% to 46.1%, and the basic-rule configuration reduced it to roughly 7.1% to 11.0% across the evaluated models.

The limitations matter too. The evaluation notes that the tested configuration used baseline rules without the full task-specific rule-induction component, and residual failures remained in cases involving content-misleading attacks or gaps in endpoint coverage.

That makes the lesson stronger, not weaker. Runtime enforcement works best as a layered control, not a magic filter. Baseline deny rules catch high-severity patterns. Task-specific policy narrows the allowed environment. Sanitization limits sensitive data movement. Skill inspection reduces supply chain risk. User approval handles ambiguous cases. Audit logging gives defenders visibility.

The point is not that one framework solves agent security. The point is that tool-connected agents need enforceable runtime policy, and the tool-call boundary is one of the most defensible places to apply it.


What This Means for Enterprise AI Programs

Organizations adopting AI agents should avoid treating prompt injection as a purely model-side issue. The security program needs to account for the systems the agent can reach and the actions it can perform.

The first step is inventory. Security teams should know which agent platforms are in use, which tools are enabled, which MCP servers are connected, which skill files are loaded, which users can install new capabilities, which credentials the agent can access, and which external domains it can contact.

The next step is scoping. Each agent workflow should have a defined task envelope. A support-ticket summarizer, code-review assistant, vulnerability enrichment agent, finance workflow, and cloud operations agent do not need the same file access, network access, command access, or SaaS permissions.

After that, teams need runtime controls. High-risk actions should be denied or queued by policy, not left to model preference. Examples include shell execution, package installation, access to credential stores, writes outside approved directories, calls to unknown domains, private network access, URL shorteners, paste sites, tunneling services, destructive filesystem commands, and agent configuration changes.

Monitoring needs to follow the same model. Agent telemetry should show tool calls, file paths, network destinations, blocked actions, user approvals, skill loads, MCP server changes, and sanitizer events. Without those records, an incident involving an agent can collapse into guesswork.


The Security Model Has to Assume the Agent Will Be Misled

The safest assumption is that any tool-connected agent will eventually read hostile content. It may come from a webpage, repository, email, PDF, ticket, chat thread, MCP server, database field, or skill file. Security controls should be built around that assumption.

If an agent is misled but cannot access credential stores, cannot contact unapproved domains, cannot run shell commands, cannot install packages, cannot modify its own configuration, and cannot write outside approved paths, the impact is limited. If the same agent has broad local access, broad network access, and weak approval prompts, indirect prompt injection becomes a path to data loss or execution.

This is the real shift in AI security. The model is no longer just generating answers. It is selecting actions inside a connected environment. That means the control plane has to move closer to the action.

Runtime enforcement at the tool-call boundary gives defenders a concrete place to apply least privilege, content sanitization, approval, and audit logging. It does not remove the need for safer models, better prompts, or stronger MCP implementations. It gives enterprises a practical control layer for the point where agent reasoning becomes operational change.

AI agents will keep gaining access to real systems. The security model has to treat every proposed action as something that can be authorized, denied, inspected, and logged before it happens.


How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.


Posted in , , , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.