ยท aka: Deceptive Approval UI, Display-Execution Mismatch, Approval Cache Bypass
Tool approval systems display sanitized or unexpanded representations of operations to human reviewers while executing different operations at runtime. Combined with coarse-grained approval caching (by tool name only, not arguments), a single benign approval grants blanket access for all subsequent invocations.
Full environment variable exfiltration through approved tool channels. Human-in-the-loop control undermined by display/execution divergence and session-wide blanket approval.
Framework with tool approval system. Agent with shell/command execution tools.
๐ Full defence implementations available through the NAIL SDK.