Exploiting Tool and Function Calling in LLM Agents

Sentry
21 May 2026 — 12 min read

The monster doll represents the AI agent: small, strange, and not fully aware of the danger around it. It’s scary, but a slightly dumb face shows that the agent is not evil by itself…

Tool calling gives injection attacks a path to backend/agentic actions. If a model can call functions, browse, read files, hit APIs, or drive a desktop, then untrusted input may be able to steer those actions.

We have already looked at two pieces of this problem from the Sentry side. In LLM API Misconfigurations, we showed how applications collapse their own trust boundary by exposing messages[], privileged roles, tools, or tool_choice to the client. In our Special Token Injection (STI) Attack Guide, we showed how poorly escaped control tokens and chat templates can let attacker-controlled input reshape message boundaries, roles, and even tool behavior. Tool calling exploitation is what happens when those problems are wired into an agent that can actually do things. It is squarely a security problem in the sense described in AI Red Team: Safety vs. Security: the attacker is targeting confidentiality, integrity, or availability through a system that now has agency.

0
    Your Cart
    Your cart is empty