The latest articles on DEV Community by Fran (@wraithvector0). https://dev.to/wraithvector0 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3874511%2F473a86d4-0938-41ef-a8cd-6ff5c5834763.jpeg https://dev.to/wraithvector0 en Fran Sun, 12 Apr 2026 07:26:21 +0000 https://dev.to/wraithvector0/what-i-learned-securing-ai-agents-with-tool-access-274j https://dev.to/wraithvector0/what-i-learned-securing-ai-agents-with-tool-access-274j <p>I’ve been experimenting with AI agents that can call tools: shell commands, APIs, databases and file systems.</p> <p>Recently I did a small integration with OpenClaw. It’s still very early, but I’d really value feedback from people running agents in real environments.</p> <p>History</p> <p>At first everything looked great.</p> <p>The agent could reason, choose tools, and automate tasks.</p> <p>Then I realized something uncomfortable:</p> <p>If the model decides to run something dangerous, nothing really stops it.</p> <p>One test made it obvious.</p> <p>The agent attempted:</p> <p>exec("cat /etc/passwd")</p> <p>Not because it was malicious, but because the prompt context allowed it.</p> <p>That’s when it clicked.</p> <p>Most agent setups today trust the model too much.</p> <p>So I started applying very boring security ideas from classic web development.</p> <ol> <li>Treat tool inputs like user inputs</li> </ol> <p>Just because an LLM produced an argument doesn’t mean it’s safe.</p> <p>Tool arguments need validation and sanitization.</p> <p>Examples:</p> <ul> <li>file paths</li> <li>SQL queries</li> <li>shell commands</li> </ul> <p>If something looks suspicious, reject it.</p> <ol> <li>Least privilege for tools</li> </ol> <p>Originally the agent had access to everything.</p> <p>Bad idea.</p> <p>Now every tool has minimal permissions.</p> <p>Examples:</p> <p>Database tool<br><br> → read-only tables</p> <p>Filesystem tool<br><br> → restricted directories</p> <p>API tool<br><br> → scoped endpoints</p> <ol> <li>Log the full chain of actions</li> </ol> <p>Initially I only logged prompts and responses.</p> <p>But when something went wrong I had no idea what the agent actually did.</p> <p>Recording the full chain made debugging much easier:</p> <p>agent reasoning<br><br> → tool selection<br><br> → parameters<br><br> → execution result</p> <ol> <li>Validate tool calls before execution</li> </ol> <p>Instead of letting the agent execute tools directly, I started intercepting tool calls.</p> <p>Conceptually:</p> <p>agent → tool request<br><br> policy check → allow / block<br><br> tool execution</p> <p>If a call violates policy, it never runs.</p> <ol> <li>Always have a kill switch</li> </ol> <p>At one point an agent got stuck in a loop repeatedly calling an API.</p> <p>A simple kill switch that stops tool execution saved the system.</p> <p>None of these ideas are new.</p> <p>They’re basically classic security principles applied to a new context.</p> <p>But as agents get more powerful, these guardrails feel increasingly necessary.</p> <p>I'm still experimenting with runtime guardrails for tool calls.</p> <p>If anyone here is running agents in production, I'm curious:</p> <p>• Are you validating tool inputs?<br><br> • Do you intercept tool calls before execution?<br><br> • Or do you rely mostly on prompt guardrails?</p> <p>Experiment</p> <p>If anyone wants to take a look or give feedback, the repo is here:</p> <p><a href="https://github.com/wraithvector0/wraithvector-openclaw" rel="noopener noreferrer">https://github.com/wraithvector0/wraithvector-openclaw</a></p> ai javascript security programming