<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: msabhishek0820-prog</title>
    <description>The latest articles on DEV Community by msabhishek0820-prog (@msabhishek0820prog).</description>
    <link>https://dev.to/msabhishek0820prog</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4013005%2F6a8c9ce7-1b02-443f-8b6a-6ef04ff86862.jpg</url>
      <title>DEV Community: msabhishek0820-prog</title>
      <link>https://dev.to/msabhishek0820prog</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/msabhishek0820prog"/>
    <language>en</language>
    <item>
      <title>Your AI Agent Is Leaking Data Right Now — And Every Tool Call Looks Safe</title>
      <dc:creator>msabhishek0820-prog</dc:creator>
      <pubDate>Fri, 03 Jul 2026 04:32:53 +0000</pubDate>
      <link>https://dev.to/msabhishek0820prog/your-ai-agent-is-leaking-data-right-now-and-every-tool-call-looks-safe-44de</link>
      <guid>https://dev.to/msabhishek0820prog/your-ai-agent-is-leaking-data-right-now-and-every-tool-call-looks-safe-44de</guid>
      <description>&lt;p&gt;&lt;em&gt;How I built the first open-source tool to catch the attacks that no guardrail sees coming&lt;/em&gt;&lt;/p&gt;




&lt;p&gt;We talk a lot about AI safety. Prompt injections. Jailbreaks. Hallucinations.&lt;/p&gt;

&lt;p&gt;But there's a category of attack nobody is talking about — and it's the most dangerous one in production today.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The sequence attack.&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  The Scenario Nobody Catches
&lt;/h2&gt;

&lt;p&gt;Let me show you exactly what I mean.&lt;/p&gt;

&lt;p&gt;Imagine you deploy an AI assistant to help your team write reports. It has access to your files, your database, and email. Standard setup. Every tool goes through a content filter. You feel safe.&lt;/p&gt;

&lt;p&gt;Now watch what happens:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Step 1: web_search("how to summarise quarterly data")
        → Risk: LOW    P(violation): 31%   ✅ WARN

Step 2: read_file("/workspace/db_config.yaml")
        → Risk: LOW    P(violation): 31%   ✅ WARN

Step 3: read_file("/workspace/customer_data.csv")
        → Risk: LOW    P(violation): 32%   ✅ WARN

Step 4: write_file("/tmp/summary.txt")
        → Risk: HIGH   P(violation): 55%   ⏸ PAUSE

Step 5: send_email(to="external@partner.com")
        → Risk: CRITICAL P(violation): 87% 🚫 BLOCK
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Every single tool call passed your content filter. Every one looked harmless in isolation.&lt;/p&gt;

&lt;p&gt;The sequence was a data leak.&lt;/p&gt;

&lt;p&gt;Your customer data, credentials, and internal configs — summarised and emailed externally. No malicious prompt. No jailbreak. Just five steps that each seemed fine.&lt;/p&gt;




&lt;h2&gt;
  
  
  Why Existing Tools Miss This
&lt;/h2&gt;

&lt;p&gt;Guardrails AI, Lakera Guard, NeMo Guardrails — I respect all of them. But they all share one blind spot.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;They check the action, not the trajectory.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;It's like a bank that checks every transaction individually for fraud, but never notices that one account withdrew $100 from 50 different ATMs in 10 minutes. Each $100 withdrawal looks fine. The pattern is the robbery.&lt;/p&gt;




&lt;h2&gt;
  
  
  What SafetyDrift Does Differently
&lt;/h2&gt;

&lt;p&gt;I built &lt;strong&gt;SafetyDrift&lt;/strong&gt; — the first open-source implementation of the SafetyDrift research paper (arXiv:2603.27148, March 2026).&lt;/p&gt;

&lt;p&gt;Instead of checking each tool call in isolation, it tracks three cumulative dimensions across the entire session:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Data Exposure&lt;/strong&gt; — what sensitivity of data has the agent accessed?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tool Escalation&lt;/strong&gt; — what capabilities has it gained?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Reversibility&lt;/strong&gt; — can what's been done be undone?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;After every tool call, it runs a Markov chain analysis and computes: &lt;strong&gt;P(violation within the next 5 steps)&lt;/strong&gt;. When that probability crosses a threshold, it intervenes — before the damage happens.&lt;/p&gt;

&lt;p&gt;The research paper proved something striking: in communication-capable agents, reaching even a mild risk state gives an &lt;strong&gt;85% probability of a safety violation within 5 steps&lt;/strong&gt;. SafetyDrift makes that prediction in real time.&lt;/p&gt;




&lt;h2&gt;
  
  
  Two Lines to Add It to Your Agent
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;safetydrift&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Session&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;InterventionAction&lt;/span&gt;

&lt;span class="n"&gt;session&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;Session&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;task_type&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;default&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="c1"&gt;# Before EVERY tool call:
&lt;/span&gt;&lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;session&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;gate&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;send_email&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;to&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;external@partner.com&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;})&lt;/span&gt;

&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;action&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="n"&gt;InterventionAction&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;BLOCK&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="k"&gt;raise&lt;/span&gt; &lt;span class="nc"&gt;RuntimeError&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Blocked: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;reason&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It also ships as an &lt;strong&gt;MCP server&lt;/strong&gt; — add two lines to &lt;code&gt;mcp.json&lt;/code&gt; and every MCP-compatible agent (Claude Code, Cursor, Copilot) is protected automatically.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"safetydrift"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"command"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"python3"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"args"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"-m"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"safetydrift"&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  The Benchmark
&lt;/h2&gt;

&lt;p&gt;200 synthetic traces. 100 violations, 100 benign sessions. 5 attack patterns including data exfiltration, credential theft, mass deletion, unauthorised publishing, and payment abuse.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Result: 100% F1. 0% false positives.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not a single benign session was blocked. Not a single attack got through.&lt;/p&gt;




&lt;h2&gt;
  
  
  Try It
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;safetydrift
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Full source, benchmark code, and framework adapters for LangChain, LangGraph, OpenAI Agents SDK, AutoGen, and CrewAI:&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;github.com/msabhishek0820-prog/safetydrift&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The paper had the math. Now there's code.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Built by Abhishek M S. Implements SafetyDrift (arXiv:2603.27148). MIT licensed.&lt;/em&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Tags:&lt;/strong&gt; &lt;code&gt;ai&lt;/code&gt; &lt;code&gt;security&lt;/code&gt; &lt;code&gt;python&lt;/code&gt; &lt;code&gt;llm&lt;/code&gt; &lt;code&gt;opensource&lt;/code&gt;&lt;/p&gt;

</description>
      <category>claude</category>
      <category>openai</category>
      <category>langchain</category>
      <category>aisafety</category>
    </item>
  </channel>
</rss>
