Skills
Replace flat egress allowlists with a signed-context proxy for agent runtimes
Plain destination allowlists fail for agents in three specific ways: agents must reach arbitrary URLs from user instructions, a flat entry for `api.example.com` permits adversarially-injected requests equally with legitimate ones, and allowed destinations with free-form logged fields become covert exfiltration channels. A signed-context egress proxy instead decides on metadata signed by the runtime (not the agent) — session, initiating user, upstream context provenance, calling tool, and a recent reasoning summary. Rollout advice is to run policies in logging-only mode first and to control DNS through a resolver that scores queries for exfiltration patterns.
Source
↳ Follow the thread