A safer agent design keeps tool execution on the server

Many human approval steps in AI only pause the process before the model still calls the tool itself. After a person clicks approve, a confused or attacked prompt can still lead to a real action if the model controls the tool call. The proposed design removes that power from the model.

The model can suggest an action and request approval, but it cannot see or call the real function that performs the action. When a person approves, the server runs the action once through a ledger. A broken prompt therefore has no direct route to trigger the tool.

write normal , while operators only see approve and reject buttons. The beta framework also lets a help build the pipeline from skills included in the packages.

Key points

  • The model proposes actions instead of directly running tools.
  • Approved actions are executed by the server one time through a ledger.
  • The model cannot see the real function that performs the action.
  • write , while operators use approve and reject buttons.
  • A can help create the pipeline from packaged skills.
Read original