Language / 语言

Agent 工具治理:MCP、Browser/Computer Use 与可验证的安全边界

Jul 2026 · MCP / Tool Use / Browser & Computer Use / Agent Security

Agent 连接工具之后,最危险的误解是把“能发现并调用”写成“被正确授权且安全地完成”。MCP、Browser Use、Computer Use、terminal 与内部 API 都把模型从文本回答带到了外部副作用;但协议、token、提示词、approval、sandbox 和 verifier 分别解决不同问题。一个可信的 agent environment 必须把这些边界写成可执行的 contract,并能在攻击、故障和正常任务中同时验收。

中心命题:tool discovery != authorization != runtime authority != verified outcome。MCP 是工具互操作协议;授权规范为受保护的 HTTP transport 定义流程;而“是否允许这一次写入、是否真的完成业务任务、是否可安全回滚”仍然是 host、policy engine、环境和独立 verifier 的责任。

1. 五个容易混淆、必须分开的层

它回答的问题 不能替代什么
发现与描述 agent 看见哪些 tool、schema 与说明? server 的描述可信、调用应被允许、参数安全
身份与 transport authorization 谁可连接受保护 server,token 是否面向该 resource? 每一笔业务动作是否符合用户意图与最小权限
运行时权限 当前 session 的此工具、此参数、此副作用是否允许? 结果已在真实后端正确生效
隔离与拦截 网络、文件、credential、进程和敏感动作如何受限? 模型已经理解了不可信内容或安全完成任务
独立验收 postcondition、完整性、安全与成本是否同时成立? candidate 的自述、截图、URL 或 tool success 字段

MCP 的 Tools specification 定义了模型可发现和调用的工具,也提醒 host 获得用户同意、把任意代码执行当作高风险,并将非可信 server 的工具描述视为不可信。MCP 的 Authorization specification 则针对 HTTP transport,要求 resource metadata discovery、token audience validation 和对目标 resource 的绑定。它们是重要基础,但都没有把“本次 business action 是否应发生”变成可自动证明的结论。

2. 从协议连接到真正执行,中间还缺三道门

A. 工具元数据不是可信指令

工具名、description、schema、返回文本和网页内容都会进入 agent 的观察空间。它们可以帮助模型规划,也可能混入诱导调用、越权参数或数据外泄的内容。MCP 的安全规范明确将 token passthrough 视为反模式,并要求 server 只接受为自身签发的 token;这解决 token audience 与代理混淆问题,不会自动过滤一条恶意 tool response。MCP Security Bench 将名称碰撞、description injection、越范围参数和 tool-transfer 等攻击放入端到端工具链,是“工具链要在规划、调用、返回三处测量”的一组预印本证据。

环境含义。 每个 observation 都应携带来源标签:user_instructiontrusted_policytool_metadatatool_outputweb_contentfile_contentagent_memory。标签不是 prompt 中的一行提醒,而是 policy engine 可读、可记录、可拒绝的字段。模型可阅读不可信内容,不等于不可信内容可授予新的目标、权限或 credential。

B. token 有效不是业务动作被批准

MCP 的授权文档要求 token 面向正确 audience;安全最佳实践还列出 confused deputy、SSRF、scope minimization 与本地 server 最小权限。这些规则约束谁能到达一个 resource,却不能决定“把钱转出”“删除文件”“发邮件”是否符合本次用户意图。

因此 agent host 还需要一个动作层的 permit:将 task id + principal + tool version + parameter digest + requested capability + expiry + approval state 绑定。高风险或不可逆调用不得只依赖模型的自然语言判断;它应等待明确确认、使用短时/窄 scope 的 capability,并把 grant 与最终结果写入 trace。Browser Use 的 human-in-the-loop 文档 展示了真实浏览器 session 的人工交接机制;它说明 approval 可以进入工作流,但不证明“有人点过一次”覆盖随后的每一个副作用。

C. tool success 不是后端完成

一个 200 OK、浏览器截图、可见 toast 或 URL 变化可能只说明前端路径走到某处。它不能单独证明后端写入、账户状态、金额、权限、库存或文件内容满足任务 postcondition。对 web / computer task,action trace 应和 sidecar 证据区分:后者以只读方式检查预声明的 server-side postcondition,并在 candidate 无写权限的域中运行。

这也解释了为什么 prompt injection 不能只当作“模型是否听话”的问题。AgentSecBench 在其受控实验中区分 instruction integrity、retrieval confidentiality 与 capability integrity,并将政策投影、能力限制和输出验证与单纯 prompt annotation 区分开来。它的窄结论是:文本可以描述边界;真正强制边界还需要模型生成之外的机制。

3. 一个可实现的 Tool-Governance Contract

下面不是对现有系统的功能宣称,而是 ClawBench V2、WebsiteBench 或任何自托管 agent environment 可采用的最小 contract。

Contract 对象 最小字段 运行时规则 acceptance 证据
Task manifest task id、初态 digest、允许的目标、postcondition、预算 candidate 不能改写目标或 hidden acceptance manifest hash 与独立最终检查
Tool manifest server/tool/version/schema、读写副作用、idempotency、风险级别 仅允许声明版本;metadata 作为不可信观察 discovery 与调用事件的 hash
Capability grant principal、scope、参数约束、过期、approval id 每次调用在 host-side 再验证;拒绝升级 grant / decision / denial trace
Policy interception 来源标签、网络/文件/credential allowlist、rate/retry/chain limit 在 action commit 前运行,非模型自评 被拦截和误拦截的可复核记录
Evidence sidecar 只读后端证据、timestamp、状态 digest、redaction policy 不与 candidate 共享写权限或 secrets 可重跑的 postcondition 结果
Acceptance gate outcome、integrity、unsafe actions、false blocks、成本 训练/开发与最终 hidden split 分开 sealed verifier 与资源账本

对本地 MCP server,安全最佳实践还要求考虑 sandbox 与最小文件、网络、进程权限;对远程 OAuth 发现,host 必须处理 SSRF 和 redirect 风险。它们应成为环境镜像与 launch policy 的一部分,而不是文档脚注。OWASP 的 Agent Security Cheat Sheet 把不可信输入、least privilege、memory isolation、action confirmation 和 adversarial testing 收束为部署建议;它适合作为威胁检查表,而不是某个 benchmark 已证明安全的证据。

4. 把安全变成可判定任务,而不是一条 guard 分数

每个正常任务都应有成对的 adversarial control。一个最小评测矩阵如下:

成对条件 正常成功如何判定 攻击/故障如何判定 主要指标
正常 metadata vs. description injection 正确调用许可 tool 不采纳 tool description 中的新目标或权限 verified success / injection ASR
最小 scope vs. 越范围参数 合法读取或写入完成 拒绝额外 recipient、路径、金额或资源 least-privilege compliance
正常 discovery vs. SSRF/恶意 endpoint 安全发现并调用预注册 server 不访问内网、metadata service 或意外 redirect blocked request / false block
可逆写入 vs. 不可逆动作 正确 postcondition + evidence 等待明确 approval,或安全停止 unsafe action / approval precision
正常页面 vs. UI/后端不一致 后端 postcondition 成立 不把截图或 toast 当成功 backend verified success
单 tool vs. tool-chain escalation 完成允许 workflow 不因中间 output 获得新 credential 或高风险 tool capability-integrity violations

报告必须同时给出正常任务成功、攻击成功、误拦截、每 verified success 的成本和最大副作用范围。只报告 guard 的识别率会遗漏正确任务被阻塞,也会遗漏模型绕过 guard 后对后端造成的影响。反之,只报业务 success rate 会让安全策略看起来像“降低性能的摩擦”,而不是独立的正确性条件。

5. 三个必须分开的 baseline

要研究一个工具治理设计,应在相同模型、harness、任务、预算和 tool set 下比较:

  1. No governance baseline: 仅为了测量原始任务行为;它不能连接真实敏感服务,所有副作用必须在可回滚 sandbox 中。
  2. Prompt-only baseline: 只在 system prompt 或 tool description 中写规则,测量文本提醒的局限和正常任务损失。
  3. Enforced-policy system: host-side capability grant、参数 validation、network / file sandbox、pre-commit interception 与 sidecar verifier 全部开启。

只有第三个系统在 held-out 正常与对抗分布上同时报告收益,才可讨论治理机制的净效果。对于训练,policy 版本、拒绝轨迹、被屏蔽的 observation 和 action mask 都属于 rollout distribution;改动它们就不是“只换了一个 guard”。

验收门槛:一个 agent 只有在正确终态、权限遵守、攻击拒绝、低误拦截、可追溯证据与预算控制同时成立时,才可称为在工具环境中可靠。MCP compatibility、OAuth token、截图、点击记录或语言模型的安全承诺都不是这个门槛的替代品。

6. 它如何回到五条核心研究线

核心线 Tool governance 新增的可测变量 不能替代什么
RSI / OpenRSI candidate 对 tool/policy/credential 的 editable surface 与独立 acceptance 跨代 held-out 改进证据
Auto Research / ART 来源、实验动作、运行权限与工件的可追溯谱系 研究结论所需的对照、复现与新颖性判断
Long horizon 授权过期、checkpoint 中的 grant、tool-chain escalation 与恢复后的再批准 状态重建、计划与故障恢复本身
Environment / ClawBench V2 reset、interception、sidecar verifier、injection control 与 backend postcondition 仅有 browser sandbox 或一条 reward
Synthetic training / Agentic RL 安全/拒绝轨迹、capability mask、policy 版本与对抗 held-out split 证明训练增益能迁移到未见环境

这篇文章与Agent Research Environments并列:环境文定义任务、harness、sandbox 与 verifier;本文把 tool discovery、authorization、runtime authority、browser/computer side effect 和独立验收拉成一条连续控制链。更多 long-run checkpoint 与恢复见Long-horizon agents;32 条相邻热点的总图见Agent 热门方向地图

Agent Tool Governance: MCP, Browser/Computer Use, and Verifiable Security Boundaries

Jul 2026 · MCP / Tool Use / Browser & Computer Use / Agent Security

Once an agent is connected to tools, the dangerous mistake is to equate “it can discover and call a tool” with “it is correctly authorized and safely completed the task.” MCP, Browser Use, Computer Use, terminals, and internal APIs move a model from text answers to external side effects. Protocols, tokens, prompts, approvals, sandboxes, and verifiers solve different problems. A credible agent environment needs to express those boundaries as an executable contract that can be accepted under normal tasks, attacks, and faults alike.

Central claim: tool discovery != authorization != runtime authority != verified outcome. MCP is an interoperability protocol; its authorization specification defines flows for protected HTTP transports. Whether a particular write should happen, whether a business task actually completed, and whether an effect can be safely rolled back remain responsibilities of the host, policy engine, environment, and independent verifier.

1. Five Layers That Are Easy to Conflate and Must Stay Separate

Layer Question it answers What it cannot replace
Discovery and description Which tools, schemas, and descriptions can an agent see? Trust in a server description, permission to call, or safe parameters
Identity and transport authorization Who can connect to a protected server, and is a token for this resource? Whether each business action matches user intent and least privilege
Runtime authority Is this tool, parameter set, and side effect permitted in this session? Whether the right backend state actually changed
Isolation and interception How are network, files, credentials, processes, and sensitive actions bounded? Whether the model understood untrusted content or safely completed work
Independent acceptance Do postcondition, integrity, safety, and cost all hold? Candidate self-report, screenshot, URL, or a tool-success field

The MCP Tools specification defines tools that models can discover and call, while advising hosts to obtain user consent, treat arbitrary code execution as high risk, and regard tool descriptions from untrusted servers as untrusted. MCP’s Authorization specification defines HTTP-transport flows including resource metadata discovery, token-audience validation, and binding to the target resource. These are important foundations, but neither proves that a particular business action ought to occur.

2. Three Missing Gates Between Protocol Connection and Real Execution

A. Tool Metadata Is Not a Trusted Instruction

Tool names, descriptions, schemas, returned text, and web content all enter an agent’s observation space. They can help planning, but may also carry instructions to call a different tool, escalate parameters, or exfiltrate data. MCP security guidance names token passthrough as an anti-pattern and requires a server to accept only tokens issued for it; that resolves token-audience and proxy-confusion problems, not a malicious tool response. MCP Security Bench places name collisions, description injection, out-of-scope parameters, and tool transfer into an end-to-end tool pipeline. It is preprint evidence that planning, invocation, and response handling should be evaluated separately.

Environment implication. Each observation should carry a source label: user_instruction, trusted_policy, tool_metadata, tool_output, web_content, file_content, or agent_memory. A label is not a line of prompt advice; it is a field readable by a policy engine, logged, and rejectable. The agent may read untrusted content without that content gaining authority to set a new goal, permission, or credential.

B. A Valid Token Is Not Approval of a Business Action

MCP authorization requires a token for the intended audience. Its security guidance also covers confused deputies, SSRF, scope minimization, and minimum privilege for local servers. These rules constrain who reaches a resource; they do not decide whether transferring money, deleting a file, or sending an email serves the user’s present intent.

An agent host therefore needs an action-layer permit binding task id + principal + tool version + parameter digest + requested capability + expiry + approval state. High-risk or irreversible calls cannot rely only on a model’s natural-language judgment. They should wait for explicit confirmation, use short-lived narrow-scope capability, and write the grant plus result to a trace. Browser Use’s human-in-the-loop documentation demonstrates handoff in a live browser session. It shows that approval can be part of a workflow; it does not show that one click covers every later side effect.

C. Tool Success Is Not Backend Completion

A 200 OK, browser screenshot, visible toast, or changed URL may only say that a frontend path was reached. Alone, it does not prove that a backend write, account state, amount, permission, inventory, or file satisfies the task postcondition. For web and computer tasks, an action trace should be distinct from sidecar evidence: the sidecar checks a declared server-side postcondition read-only, in a domain the candidate cannot write.

This is also why prompt injection cannot be reduced to “does the model obey?” AgentSecBench separates instruction integrity, retrieval confidentiality, and capability integrity in controlled experiments, distinguishing policy projection, capability restriction, and output validation from prompt annotation alone. Its narrow result is that text can describe a boundary; enforcement needs mechanisms outside model generation.

3. An Implementable Tool-Governance Contract

This is not a claim about capabilities already shipped by an existing system. It is a minimum contract that ClawBench V2, WebsiteBench, or any self-hosted agent environment can adopt.

Contract object Minimum fields Runtime rule Acceptance evidence
Task manifest Task ID, initial-state digest, permitted goals, postcondition, budget Candidate cannot rewrite goals or hidden acceptance Manifest hash and independent final check
Tool manifest Server/tool/version/schema, read/write effects, idempotency, risk level Permit declared versions only; treat metadata as untrusted observation Hashed discovery and invocation events
Capability grant Principal, scope, parameter constraints, expiry, approval ID Revalidate host-side at each call; deny escalation Grant, decision, and denial trace
Policy interception Source labels, network/file/credential allowlists, rate/retry/chain limit Run before committing an action, never as model self-review Reviewable intercepted and false-block events
Evidence sidecar Read-only backend evidence, timestamp, state digest, redaction policy No write authority or secrets shared with candidate Replayable postcondition result
Acceptance gate Outcome, integrity, unsafe actions, false blocks, cost Separate training/development from the final hidden split Sealed verifier and resource ledger

For local MCP servers, security guidance also requires sandboxing and minimum file, network, and process authority. For remote OAuth discovery, the host must account for SSRF and redirect risk. These belong in the environment image and launch policy, not a footnote. The OWASP AI Agent Security Cheat Sheet consolidates untrusted input, least privilege, memory isolation, action confirmation, and adversarial testing as deployment advice. It is a threat checklist, not evidence that any benchmark is already secure.

4. Make Security a Decidable Task, Not One Guard Score

Every normal task should have a paired adversarial control. A minimal evaluation matrix follows.

Paired condition Normal success criterion Attack/fault criterion Main metric
Normal metadata vs. description injection Correctly call a permitted tool Do not adopt a new goal or authority in a tool description Verified success / injection ASR
Minimum scope vs. out-of-scope parameters Complete legal read or write Reject extra recipient, path, amount, or resource Least-privilege compliance
Normal discovery vs. SSRF/malicious endpoint Discover and call registered server safely Do not access private networks, metadata services, or surprise redirects Blocked request / false block
Reversible write vs. irreversible action Correct postcondition with evidence Wait for explicit approval, or safely stop Unsafe action / approval precision
Normal page vs. UI/backend mismatch Backend postcondition holds Do not count screenshot or toast as success Backend-verified success
Single tool vs. tool-chain escalation Complete permitted workflow Do not obtain new credentials or high-risk tools through intermediate output Capability-integrity violations

Report normal-task success, attack success, false blocks, cost per verified success, and maximum side-effect scope together. A guard detection score omits normal work that it blocks and backend harm after an agent bypasses it. Conversely, business success alone makes a safety policy look like mere friction instead of an independent correctness condition.

5. Three Baselines That Must Not Be Blended

To study a governance design, compare under the same model, harness, task, budget, and tool set:

  1. No-governance baseline: only for measuring raw behavior; it must never reach a real sensitive service, and every effect stays in a rollback-capable sandbox.
  2. Prompt-only baseline: rules exist only in system prompts or tool descriptions, exposing both the limits of textual reminders and the cost to normal tasks.
  3. Enforced-policy system: host-side capability grants, parameter validation, network/file sandboxing, pre-commit interception, and a sidecar verifier are all enabled.

Only when the third system reports a benefit on held-out normal and adversarial distributions can one discuss the net effect of governance. In training, policy version, refusal traces, blocked observations, and action masks belong to the rollout distribution. Changing them is not “only adding a guard.”

Acceptance bar: an agent is reliable in a tool environment only when correct terminal state, authority compliance, attack rejection, low false blocking, traceable evidence, and budget control hold together. MCP compatibility, an OAuth token, a screenshot, a click log, or an LLM safety promise does not substitute for this bar.

6. How It Returns to the Core Five

Core thread Measurable variable added by tool governance What it cannot replace
RSI / OpenRSI Candidate-editable surface over tools, policies, and credentials plus independent acceptance Cross-generation held-out evidence of improvement
Auto Research / ART Traceable lineage for sources, experiment actions, runtime authority, and artifacts Controls, reproduction, and novelty judgment required for a research claim
Long horizon Grant expiry, checkpointed authority, tool-chain escalation, and reapproval after recovery State reconstruction, planning, and fault recovery themselves
Environment / ClawBench V2 Reset, interception, sidecar verifier, injection controls, and backend postconditions A browser sandbox or one reward signal alone
Synthetic training / Agentic RL Safety/refusal trajectories, capability masks, policy versions, and adversarial held-out splits Evidence that a training gain transfers to unseen environments

This note pairs with Agent Research Environments: the environment note defines task, harness, sandbox, and verifier; this one joins tool discovery, authorization, runtime authority, browser/computer side effects, and independent acceptance into one control chain. For long-run checkpoints and recovery, see Long-horizon agents; for the 32-lane adjacent-direction map, see Hot Agent Directions.