How often should I audit my agent's tool permissions?

At minimum weekly. Guard Cloud maintains an inventory and can alert on permission drift. For teams, a monthly review of all approved tools is recommended. Remove tools that are no longer needed.

Should I use "allow once" or "always allow" for tool permissions?

Prefer "allow once" for sensitive tools like file-read, HTTP, and shell-exec. Reserve "always allow" for low-risk tools like search or format. Guard can enforce this by requiring re-approval for high-risk tools.

medium severityCurated advisory

Tool permission creep in AI agents

AI agents accumulate tool permissions over time as developers approve new tools "just this once." These permissions persist across sessions, creating an ever-widening attack surface where tools that were approved once can be used by prompt injection in future sessions.

Protect my harness Protect a team

Affected surfacestool permission grantsagent session memoryMCP tool configurations

The attack

What happens

Each time a developer approves a tool "just this once," the permission often persists. Over weeks, the agent accumulates access to dozens of tools — file readers, HTTP clients, database connectors, shell executors — any of which can be exploited by prompt injection.

Step by step

How the attack unfolds

1Developer approves a file-read tool for a specific task.

2Developer approves an HTTP tool for a different task.

3Developer approves a shell-execution tool for a third task.

4Permissions persist across all future sessions.

5A prompt injection in a future session can use any of the previously-approved tools to exfiltrate data.

Example

What it looks like in practice

Scenario

Over a month, a developer approves file-read, HTTP-request, and shell-exec tools for various tasks. In a new session, a prompt injection in a file comment causes the agent to read the .env file (using the file-read tool), then send it to an external URL (using the HTTP tool). Both tools were approved weeks ago and the agent uses them without asking for permission again.

Detection

How Guard catches this

Guard maintains an inventory of all approved tools and their permission scope.

Guard alerts when a tool is used in a session for the first time in 30+ days.

Guard flags sessions where an unusual combination of tools is used (e.g., file-read + HTTP in the same session).

Mitigation

How to stop it

Recommended action

Audit tool permissions regularly. Use Guard to maintain an inventory of approved tools and alert on permission drift. Require re-approval for tools that have not been used recently.

Guard configuration

Enable "Tool permission inventory" to list all approved tools in the dashboard.

Enable "Permission drift detection" to alert when the tool count increases.

Enable "Stale permission revocation" to require re-approval for tools not used in 30+ days.

FAQ

Common questions

Related advisories

More threats to know about

medium

Shadow MCP server discovery and persistent access

MCP servers added to a project during development can persist in configuration files and maintain access to the agent’s context window long after they are forgotten. These "shadow" servers continue receiving tool calls and may be modified by attackers who compromise the original server.

Read advisory

high

MCP authentication token theft via headers

MCP servers that accept authentication tokens in headers can leak those tokens if the server logs requests, shares telemetry, or is compromised. Tokens passed to MCP servers persist in server-side logs and may be accessible to attackers.

Read advisory

Stop this threat before it reaches your agent

Install HOL Guard to get real-time protection against this attack and others like it.

Install HOL Guard See team plans