| Server / tool | A untrusted | B sensitive | C external |
|---|---|---|---|
| acme-devtools / fetch_url | ● | · | · |
| ↳ read_notes | · | ● | · |
| ↳ run | · | · | ● |
| ↳ send_report | · | · | ● |
This server's tool metadata carries text resembling hidden instructions (3 signals: concealment from the user, hidden directive tags, SSH private key path). Tool metadata is read by the agent and must not carry directives.
✓ Treat tool metadata as untrusted. Strip or sandbox tool descriptions, pin servers to reviewed versions, and require human approval before installing third-party tools.
ASI01 · Agent Goal Hijack · confidence 90%
This server's combined toolset spans all three lethal-trifecta axes, so an agent using it can be steered to chain them into data exfiltration or unauthorized action. Contributors — A (untrusted-input): acme-devtools:fetch_url; B (sensitive-access): acme-devtools:read_notes; C (external-comms): acme-devtools:send_report, acme-devtools:run.
✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.
ASI02 · Tool Misuse and Exploitation · confidence 75%
Tool 'run' exposes code or command execution to the agent, so an injected instruction could run commands on the host.
✓ Sandbox execution, drop privileges, allow-list commands, and require human approval for any code-execution tool.
ASI05 · Unexpected Code Execution · confidence 70%
Tool 'run' advertises over-broad access; scope it to the minimum it actually needs.
✓ Apply least privilege: scope filesystem roots, restrict outbound hosts, and narrow tool parameters to the minimum required.
ASI03 · Identity and Privilege Abuse · confidence 60%