Your Agent Trusts the Tool's Description. The Attack Hides There.
You validate what a tool returns. You don't validate the text the tool uses to describe itself, and your agent reads that text first, then pastes it into its own context. The most dangerous field in a
spinov001.hashnode.dev17 min read
The line that stood out to me was: "an assistant answers you; an agent does the thing." A lot of teams talk about agentic AI as if it's a model upgrade, but in practice the hard part is everything around the model permissions, confirmation flows, retrieval strategy, observability, and failure handling.
We've seen a similar pattern at IT Path Solutions when building AI agents: the model is often the easiest component to swap, while the real engineering effort goes into creating safe execution paths and making sure mistakes are recoverable rather than expensive.
I also liked your principle: "Let the model be wrong cheaply, but never wrong expensively." That’s probably one of the clearest ways to explain production-grade agent design. Great breakdown of the gap between a demo assistant and a reliable agent.