当较低权限即可满足时:LLM智能体中的过度特权工具选择研究
阅读原文· arxiv.org研究LLM智能体自主选择工具时的过度特权问题:智能体在存在足够低权限工具时仍倾向选择高权限工具。引入ToolPrivBench评估框架,覆盖8个领域5种风险模式。实验发现主流LLM智能体普遍存在过度特权选择,瞬态工具故障会加剧该问题。一般安全对齐无法可靠迁移至最小权限选择,提示级控制仅在无故障时提供有限缓解。提出的特权感知后训练防御能显著减少不必要高权限工具使用,同时保持通用能力。
As LLM agents increasingly select tools autonomously, their choices among tools with different privileges become safety-relevant. However, prior tool-selection studies focus on safety-agnostic metadata preferences, leaving privilege-sensitive choices underexplored. To address this gap, we study over-privileged tool selection, in which an agent selects or escalates to a higher-privilege tool despite a sufficient lower-privilege alternative. We introduce ToolPrivBench to evaluate whether agents choose higher-privilege tools despite sufficient lower-privilege alternatives, measuring both initial selection and escalation after transient tool failures. Across eight domains and five recurring risk patterns, we find that over-privileged tool selection is common among mainstream LLM agents and is further amplified by transient failures. We further find that general safety alignment does not reliably transfer to least-privilege tool choice, while prompt-level controls provide only limited mitigation under transient failures. We therefore introduce a privilege-aware post-training defense that teaches agents to prefer sufficient lower-privilege tools and escalate only when necessary. Our mitigation experiments show that this defense substantially reduces unnecessary high-privilege tool use while preserving general capabilities.