A safer agent design separates commands from outside data

Tool-using agents can be tricked when they read outside information from web pages, files, or . This risk is called , and it becomes more serious when an agent can take real actions after reading that outside information. Sentinel Gateway is a middleware layer that keeps trusted commands separate from untrusted outside data.

The main idea is not to guess whether an input is harmful, but to require a signed authorization token before any execution step can happen. This separates what the agent observes from what it is allowed to do. The implementation includes FastAPI middleware for tool calls, token checks for execution requests, a Streamlit screen for review and debugging, logs of agent choices and tool use, and either local storage or Postgres storage.

It is also designed to fit s, including Claude-based sessions.

Key points

  • is a risk where hidden instructions in outside data can steer an agent away from its intended rules.
  • Sentinel Gateway separates trusted commands from untrusted outside data.
  • Tool execution requires a signed authorization token, so seeing data is separate from being allowed to act on it.
  • The project includes FastAPI middleware, a Streamlit review screen, audit logs, and Postgres support.
  • The design can be used in , including Claude-based sessions.

Sources covering this story (2)

Read original