O, Privilege)

Description

Plugins and tools extend an LLM’s capabilities (HTTP fetch, filesystem, shell, DB). Insecure design—broad scopes, no validation, missing approvals—enables SSRF, data exfiltration, or system modifications triggered by crafted prompts.

Keywords: LLM plugins, tool-use security, SSRF protection, least capability, approvals.

Examples/Proof

SSRF via fetch tool
- "Fetch http://169.254.169.254/latest/meta-data/" (AWS IMDS). If the tool allows it, that’s SSRF;
Dangerous file operations
- "Delete all logs in /var/log". If the agent executes without approval and without scoping to a safe directory, design is unsafe.
Unscoped DB access
- "DROP TABLE users". If the DB tool allows arbitrary statements, data loss risk is high.

Detection and Monitoring

Tool-use audit trails
- Log inputs/outputs, approve/deny decisions, and map to user sessions. Alert on non-allow-listed hosts/paths.
Rate limiting
- Set per-tool quotas; detect spikes or repeated failures.

Remediation

Least capability
- Narrow hosts, paths, methods, and queries; pass explicit parameters from UI; avoid free-form execution.
User approvals for sensitive actions
- Show diffs/commands; require consent for file writes, network egress, or destructive DB changes.
Server-side policy enforcement
- Validate inputs; enforce allow/deny lists; sandbox with OS/container/AppArmor/SELinux; remove ambient credentials.

Prevention Checklist

Tool scopes (hosts/paths/methods) explicitly constrained
User approvals for sensitive actions with clear diff previews
Server-side validation and sandboxing; no ambient credentials

Haxoris Wiki

LLM07: Insecure Plugin/Tool Design (SSRF, File I/O, Privilege)

Description

Examples/Proof

Detection and Monitoring

Remediation

Prevention Checklist