Tool Output Trusted Verbatim
Feeding raw tool output directly into the model's context — no validation, no schema check, no size cap, no sanitization.
Intent & Description
🎯 Intent
Accepting whatever a tool returns at face value and injecting it directly into the model’’s context — no schema check, no size limit, no trust label, no escape pass over instruction-shaped content.
📋 Context
Tools return 200 OK with error bodies, 50MB JSON blobs, and HTML with embedded instructions. The team assumed tools return well-formed, honest, bounded JSON. They don’’t.
💡 Solution
Validate every tool result against a schema. Cap response size. Sanitize HTML. Apply tool-output-poisoning defenses. See tool-output-poisoning, structured-output, input-output-guardrails.
Real-world Use Case
- Never use this; real tools return errors as 200 OK, oversized bodies, and injected text.
- Validate every tool result against a schema and enforce a response size cap.
- Apply tool-output-poisoning defenses and structured-output validation downstream.
Source
📌 TL;DR
Always validate, sanitize, and size-cap tool output before injecting it into the model’s context.
Disadvantages
- Silent context corruption when tool output doesn’’t match the expected shape
- Indirect prompt injection succeeds — instructions embedded in tool responses run as agent commands
- Context overflow from unbounded tool responses crashes or degrades the run