OWASP ASI02: Tool Misuse

Modern agents reach databases, ticketing systems, payment APIs, and cloud control planes through tools and MCP servers. When an attacker steers the agent toward a permitted tool with malicious arguments, the call looks legitimate to traditional security controls but causes real-world damage.

Tool misuse typically includes:

• Destructive operations: Inducing delete, drop, or transfer actions on production systems.
• Privilege chaining: Combining permitted tools to reach an unauthorized end state.
• Data exfiltration: Routing sensitive data to attacker-controlled tools or webhooks.
• Out-of-scope writes: Modifying records or settings outside the task's intended scope.
• Rate exhaustion: Calling tools at volumes that exhaust quotas or trigger costs.

What makes tool misuse difficult to detect is that the calls are syntactically legitimate. Distinguishing misuse from sanctioned use requires policy expressed in terms of intent and context, not just endpoint and method, which is why intent-aware authorization is now central to agent security architectures.

Effective programs catalog the highest-risk tool calls explicitly and require additional approval or attestation for those operations regardless of which agent or user initiates them.

How PointGuard AI Helps

PointGuard's Agent Governance Mesh applies intent-to-action validation on every tool call, denying invocations that fall outside the agent's authorized scope, and AI Runtime Guardrails block known-dangerous argument patterns before tools execute. The combined enforcement keeps even legitimate tool calls from being weaponized through hostile arguments or unintended chains.

Learn More

• OWASP Top 10 for Agentic Applications
• NIST AI 100-2 Adversarial ML Taxonomy
• MITRE ATLAS