Tendril — AI Lessons for Real Life

Tendril

The premise

Agent safety lives at the tool boundary, not the prompt. If your agent has a delete_user tool, it will eventually call it. The right design exposes only the verbs your use case requires.

What AI does well here

Call the tools you provide with parameters drawn from context

Stop calling tools that error consistently

Compose multi-step plans across the available verbs

What AI cannot do

Restrain itself from dangerous tools by policy alone

Distinguish a tool used wisely from one used recklessly

Audit its own tool history without your help

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-agentic-tool-allowlist-design-r7a1-creators

What ultimately determines the boundaries of what an AI agent can do?

The amount of compute power available
The natural language model it runs on
The specific tools included in its allowlist
The system prompt instructions it receives

A developer gives an agent a 'delete_anything(id)' tool that can delete any database record by ID. Why is this dangerous?

The developer forgot to add rate limiting
The tool name is too long and confusing
The agent will eventually call this tool because it has access to it, regardless of intent
The agent lacks permission to use the database

Which tool design principle most reduces the potential blast radius of an agent?

Using narrow, intent-named tools like 'refund_order' instead of generic database tools
Increasing the number of tools available
Adding more detailed prompt instructions about when to use tools
Training the model to be more cautious

A developer is creating tools for an agent that processes customer orders. Which example demonstrates proper narrow tool design?

refund_order(order_id, amount)
create_modify_delete_order(id, action, data)
execute_query(sql)
run_command(cmd)

According to the core premise of agentic tool design, where does agent safety actually reside?

In the user's initial request
At the tool boundary—the set of tools the agent can call
In the system prompt's safety instructions
In the model's internal safety training

A developer considers adding a tool that could cause significant harm if misused. What is the correct approach before adding it?

Ask 'what is the worst single call this agent can make?' and address unacceptable outcomes
Add the tool and monitor for abuse after deployment
Refuse to add any tool that could possibly cause harm
Trust that the model will refuse harmful calls

Why is giving an agent raw shell access equivalent to giving it unlimited power?

Shell access provides a generic interface that can execute essentially any system action
Shell access requires a confirmation step
Shell commands are faster than API calls
The agent can only run one shell command at a time

An agent keeps calling a tool that returns errors on every attempt. What will the agent typically do?

Continue calling the tool since it has no inherent judgment about tool reliability
Ask the developer for help
Switch to a different tool that does something similar
Stop calling the tool automatically

What can an AI agent do with the tools it has been given?

Refuse to call tools that seem dangerous
Create new tools that weren't originally provided
Call them with parameters drawn from context, compose multi-step plans, and stop calling ones that error consistently
Modify its own tool list based on what it learns

A developer creates four tools: 'rename_file(old_name, new_name)', 'delete_user(id)', 'send_email(to, subject, body)', and 'execute_sql(query)'. Which requires the most careful parameter scoping?

rename_file because files are critical
delete_user because it's irreversible
execute_sql(query) because it can perform any database operation
send_email because of privacy concerns

What limitation prevents agents from distinguishing between wise and reckless use of the same tool?

Agents are too smart to make mistakes
Agents can see the future
The tools prevent this automatically
Agents lack contextual judgment about consequences—they follow instructions, not wisdom

What does the term 'allowlist' specifically mean in agent tool design?

A list of all possible tools that exist
A list of forbidden words the agent cannot say
A list of user-approved actions
A list of explicitly permitted tools the agent may call, excluding everything else

Can an agent audit its own tool usage history without external help?

Yes—agents automatically track all their actions
Yes—but only for security-critical actions
No—agents cannot audit their own tool history without developer assistance
Yes—but only for actions from the past hour

Why is 'intent-named' a desirable property for agent tools?

Intent names make the AI smarter
Intent names are required by law
Intent-named tools are faster to execute
Names like 'refund_order' clearly communicate what action the tool performs

What happens when an agent receives parameters outside what a tool expects?

The agent guesses what parameters to use
The tool call returns an error
The tool automatically converts the parameters
The agent skips that tool entirely

The premise

Agent safety lives at the tool boundary, not the prompt. If your agent has a delete_user tool, it will eventually call it. The right design exposes only the verbs your use case requires.

What AI does well here

Call the tools you provide with parameters drawn from context

Stop calling tools that error consistently

Compose multi-step plans across the available verbs

What AI cannot do

Restrain itself from dangerous tools by policy alone

Distinguish a tool used wisely from one used recklessly

Audit its own tool history without your help

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-agentic-tool-allowlist-design-r7a1-creators

What ultimately determines the boundaries of what an AI agent can do?

The amount of compute power available
The natural language model it runs on
The specific tools included in its allowlist
The system prompt instructions it receives

A developer gives an agent a 'delete_anything(id)' tool that can delete any database record by ID. Why is this dangerous?

The developer forgot to add rate limiting
The tool name is too long and confusing
The agent will eventually call this tool because it has access to it, regardless of intent
The agent lacks permission to use the database

Which tool design principle most reduces the potential blast radius of an agent?

Using narrow, intent-named tools like 'refund_order' instead of generic database tools
Increasing the number of tools available
Adding more detailed prompt instructions about when to use tools
Training the model to be more cautious

A developer is creating tools for an agent that processes customer orders. Which example demonstrates proper narrow tool design?

refund_order(order_id, amount)
create_modify_delete_order(id, action, data)
execute_query(sql)
run_command(cmd)

According to the core premise of agentic tool design, where does agent safety actually reside?

In the user's initial request
At the tool boundary—the set of tools the agent can call
In the system prompt's safety instructions
In the model's internal safety training

A developer considers adding a tool that could cause significant harm if misused. What is the correct approach before adding it?

Ask 'what is the worst single call this agent can make?' and address unacceptable outcomes
Add the tool and monitor for abuse after deployment
Refuse to add any tool that could possibly cause harm
Trust that the model will refuse harmful calls

Why is giving an agent raw shell access equivalent to giving it unlimited power?

Shell access provides a generic interface that can execute essentially any system action
Shell access requires a confirmation step
Shell commands are faster than API calls
The agent can only run one shell command at a time

An agent keeps calling a tool that returns errors on every attempt. What will the agent typically do?

Continue calling the tool since it has no inherent judgment about tool reliability
Ask the developer for help
Switch to a different tool that does something similar
Stop calling the tool automatically

What can an AI agent do with the tools it has been given?

Refuse to call tools that seem dangerous
Create new tools that weren't originally provided
Call them with parameters drawn from context, compose multi-step plans, and stop calling ones that error consistently
Modify its own tool list based on what it learns

A developer creates four tools: 'rename_file(old_name, new_name)', 'delete_user(id)', 'send_email(to, subject, body)', and 'execute_sql(query)'. Which requires the most careful parameter scoping?

rename_file because files are critical
delete_user because it's irreversible
execute_sql(query) because it can perform any database operation
send_email because of privacy concerns

What limitation prevents agents from distinguishing between wise and reckless use of the same tool?

Agents are too smart to make mistakes
Agents can see the future
The tools prevent this automatically
Agents lack contextual judgment about consequences—they follow instructions, not wisdom

What does the term 'allowlist' specifically mean in agent tool design?

A list of all possible tools that exist
A list of forbidden words the agent cannot say
A list of user-approved actions
A list of explicitly permitted tools the agent may call, excluding everything else

Can an agent audit its own tool usage history without external help?

Yes—agents automatically track all their actions
Yes—but only for security-critical actions
No—agents cannot audit their own tool history without developer assistance
Yes—but only for actions from the past hour

Why is 'intent-named' a desirable property for agent tools?

Intent names make the AI smarter
Intent names are required by law
Intent-named tools are faster to execute
Names like 'refund_order' clearly communicate what action the tool performs

What happens when an agent receives parameters outside what a tool expects?

The agent guesses what parameters to use
The tool call returns an error
The tool automatically converts the parameters
The agent skips that tool entirely

Agentic AI: designing the tool allowlist that bounds the agent

The premise

What AI does well here

What AI cannot do

End-of-lesson check

Agentic AI: designing the tool allowlist that bounds the agent

The premise

What AI does well here

What AI cannot do

End-of-lesson check