The Trust Problem in AI Agent Tools (And How We Solve It)
Imagine you deploy an AI agent to handle customer support tickets. It reads emails, queries your database, drafts responses, and sends them. To do its job, it needs tools—and those tools need to execute code.
Who wrote that code? Where does it run? What can it access? What happens when it fails? Who's accountable if it does something wrong?
These are not hypothetical questions. As AI agents move from demos to production—from answering questions to taking actions—the tools they use become a security surface. And right now, most of the ecosystem treats tool security as an afterthought.
JarvisSDK was designed from the ground up with trust as a first-class concern. Here's why that matters, and how we approach it.
The Problem: Agents Execute Arbitrary Code
The most dangerous property of an AI agent is also its most valuable one: it can decide what to do without being explicitly told.
In a well-designed agentic system, the agent receives a goal, reasons about how to accomplish it, selects tools, and executes them. The LLM picks the tool. The tool runs code. Code affects real systems.
The attack surface here is significant:
Prompt injection can hijack the agent's tool selection. A malicious document in the agent's context can instruct it to call a different tool than intended, exfiltrate data to an attacker-controlled endpoint, or escalate permissions it shouldn't have.
Supply chain attacks target the tools themselves. If your agent pulls tool definitions from an external registry, a compromised module can run arbitrary code in your environment with whatever permissions the agent has.
Scope creep happens when tools have broader access than they need. A text-processing module shouldn't be able to make network requests. A file-reading module shouldn't be able to delete files. But without explicit capability boundaries, every tool gets whatever access the runtime provides.
Unaudited third-party code is the most common failure mode. Most agent tool catalogs are essentially GitHub repositories with a directory of functions. There's no review process, no certification, no versioning guarantees. You're running code from strangers.
These are real risks. And as agents handle increasingly sensitive operations—financial transactions, customer data, infrastructure changes—the stakes get higher.
The Current State: Not Great
Look at how most agent frameworks handle tool trust today:
LangChain tools: A directory of community-contributed tools. Code is reviewed via GitHub PRs, but there's no formal certification, no runtime sandboxing, and no trust scores. You add a tool by importing it and trusting that it does what the README says.
OpenAI function calling: The LLM generates a function call, and your code executes it. Security is entirely your responsibility. The spec says nothing about sandboxing, permissions, or what happens when a function call has unexpected side effects.
AutoGPT plugins: A plugin system where third-party developers can add capabilities. Early versions had essentially no sandboxing; plugins could access the filesystem, make network requests, and modify the agent's memory state.
MCP servers: The Model Context Protocol defines how LLMs communicate with tools, but makes no security guarantees about what those tools do. Connecting Claude to a malicious MCP server gives it full access to whatever that server exposes.
None of this is a criticism of these projects—they're solving discovery and execution, not security. But for agents operating in production environments with real data and real consequences, "trust but don't verify" is not an acceptable model.
JarvisSDK's Approach: Trust as Infrastructure
We treat trust not as a feature but as infrastructure—something that's always present, always measurable, and always improving.
Trust Tiers
Every module in the JarvisSDK catalog has a trust score: platinum, gold, silver, or bronze. These aren't marketing labels. They're computed from measurable signals:
| Tier | What it means |
|---|---|
| Platinum | Passed all 15 certification checks, active usage, zero critical failures in 30 days, community endorsement |
| Gold | Passed full certification, good health metrics, documented behavior |
| Silver | Passed core certification checks, consistent health |
| Bronze | Registered but not yet certified, or failed some checks |
When your agent queries the catalog, trust scores are surfaced in search results. When you configure an agent's allowed modules, you can set a minimum trust threshold: "only allow platinum and gold modules." This gives you a policy knob you can tune based on the sensitivity of the agent's task.
The Certification Pipeline
A JarvisSDK certification is not a human code review (though that's one path to gold and platinum). It's an automated pipeline with 15 discrete checks across four categories:
Schema checks (4 checks): 1. Input schema is valid JSON Schema Draft 7+ 2. Output schema is valid JSON Schema Draft 7+ 3. Every action has a non-empty description 4. Required fields are explicitly declared (no implicit requirements)
Security checks (4 checks): 5. No SSRF vectors in HTTP-type endpoints (IP ranges, localhost, cloud metadata endpoints are blocked) 6. No injection patterns in schema property names or descriptions 7. Authentication configuration is valid and non-nullable for sensitive actions 8. No secrets or credentials exposed in schema metadata
Sandbox checks (4 checks): 9. Module declares its capability set (what resources it may access) 10. Capability declarations match observed behavior in test execution 11. Module handles invalid input gracefully (no unhandled exceptions on malformed input) 12. Module respects timeout constraints (actions complete within declared time bounds)
Operational checks (3 checks): 13. Module has at least one passing end-to-end test on record 14. Module exposes a health endpoint that returns 200 with correct content-type 15. Error responses conform to the standard error schema
Fail any of these and you get bronze. Pass them all and you get silver. The path to gold and platinum requires operational history (uptime, error rates, usage volume) and, for the highest tier, human review.
# Run certification on your module
curl -X POST https://jarvissdk.com/api/v1/modules/your-module/certify \
-H "X-API-Key: $JARVIS_API_KEY"
# Check results
curl https://jarvissdk.com/api/v1/modules/your-module/certification \
-H "X-API-Key: $JARVIS_API_KEY" | jq '.checks[] | select(.passed == false)'Runtime Isolation
Trust scores and certifications describe a module's *stated* properties. Runtime isolation enforces them at execution time.
JarvisSDK's four runtime types have different isolation guarantees:
Builtin modules run in-process in the JarvisSDK runtime. They're compiled TypeScript, reviewed by the JarvisSDK team, and can't access anything outside their declared scope. The text-toolkit module manipulates strings; it has no access to the filesystem, network, or database. This is the highest trust tier by definition—it's code we wrote and control.
Composio modules delegate to the Composio API, which handles OAuth token management and API calls. Your credentials never leave Composio's infrastructure; JarvisSDK just passes parameters and receives results. The trust model relies on Composio's security posture for the underlying SaaS integrations.
HTTP modules call your external endpoint. JarvisSDK applies SSRF protections before the request, validates inputs against the declared schema, enforces timeout limits, and validates outputs against the declared schema. But the code running on your endpoint is your responsibility—HTTP modules have lower default trust for this reason.
Mock modules return static data and are explicitly excluded from production use. They're bronze by definition and filtered out of non-test environments.
The Circuit Breaker
Even certified, platinum-tier modules can have bad days. Services go down. APIs return errors. A normally reliable module starts timing out.
JarvisSDK runs a circuit breaker on every module: if a module's error rate exceeds a threshold in a 5-minute rolling window, it's automatically isolated. Executions return a circuit-open error, not a timeout. The agent (or your application code) sees a fast failure and can route around it.
When the circuit closes (after a configurable cooldown period), JarvisSDK probes with a single test execution before letting traffic flow again. This is standard resilience engineering, but it matters especially for agents: an agent that retries a failing tool call in a loop is an expensive, stuck agent.
{
"error": "CIRCUIT_OPEN",
"module": "external-api-toolkit",
"message": "Module circuit is open after 12 failures in the last 5 minutes",
"retryAfterSeconds": 300
}Permissions and Scopes
JarvisSDK modules declare capability sets—what resources they may access. Your API key can be configured to enforce these declarations at the platform level.
When you create an API key, you specify allowed capabilities:
{
"apiKey": "jsk_...",
"allowedCapabilities": ["text", "data", "search"],
"blockedCapabilities": ["email", "filesystem", "network-outbound"]
}An agent using this key can execute text processing, data transformation, and search modules. It cannot execute modules that send email, read files, or make outbound network requests—even if those modules are platinum-certified and the agent's LLM wants to call them. The capability policy is enforced at the API layer, not just the model layer.
This is the key insight: you cannot trust the LLM to enforce security boundaries. The LLM makes predictions; it can be fooled, jailbroken, or simply make mistakes. Security has to be enforced at the execution layer, where code actually runs.
Comparing Approaches
| Approach | Discovery | Certification | Runtime Isolation | Capability Control |
|---|---|---|---|---|
| LangChain community tools | GitHub repo | Manual PR review | None | None |
| OpenAI function calling | Your code | None | Your responsibility | Your responsibility |
| MCP servers | MCP manifest | None | Process isolation | Limited |
| JarvisSDK | 5 protocols | 15 automated checks + trust tiers | Per-runtime isolation + circuit breaker | Capability-scoped API keys |
This isn't a gotcha comparison—different tools have different goals. But if you're deploying agents in production with access to sensitive data or real-world side effects, the "none" columns are risks you're accepting.
What This Looks Like in Practice
Here's a practical example: you're building an agent that processes customer support tickets. It can read emails, query a knowledge base, and draft responses—but it absolutely should not be able to send emails without human approval.
// Production API key — no outbound email capability
const productionKey = 'jsk_prod_...';
// Staging API key — email allowed for testing
const stagingKey = 'jsk_staging_...';
const client = new JarvisClient({
apiKey: process.env.NODE_ENV === 'production' ? productionKey : stagingKey
});
// The agent can discover email-toolkit and construct a send action,
// but execution will fail with CAPABILITY_DENIED in production.
// The agent logs the draft and surfaces it for human review.You've separated the concern of what the agent wants to do (determined by the LLM) from what the agent is allowed to do (enforced by the platform). This is defense in depth: even if the LLM is manipulated into trying to send an unauthorized email, the capability policy prevents it.
The Enterprise Posture
For teams with compliance requirements—SOC 2, HIPAA, GDPR, or internal security policies—JarvisSDK's trust infrastructure translates directly to audit evidence:
- Module certification records document what code was reviewed and when
- Execution logs provide a complete audit trail of every tool call
- Capability policies enforce least-privilege access at the platform layer
- Circuit breaker events are logged and surfaced in the dashboard
- Trust scores provide a continuous risk signal, not just a one-time review
None of this eliminates the need for security-conscious agent design. You still need to think about what your agent has access to, what data flows through it, and what happens when it makes mistakes. But it gives you infrastructure to work with instead of having to build it yourself.
The Honest Answer
No tool catalog can guarantee that every module is safe for every use case. The platinum tier means a module has passed our automated checks, has good operational history, and has been reviewed by a human. It does not mean it's impossible to misuse or that it has no security bugs.
What JarvisSDK provides is a measurable, continuous trust signal—not a one-time promise. Trust scores change as modules' health metrics change. Certifications can be revoked if a security issue is discovered. The circuit breaker catches runtime failures automatically.
This is the right model for production software: not a checkbox that says "secure," but a system that continuously monitors, measures, and enforces.
For AI agents specifically, this matters more than it does for most software. Agents act autonomously. They make decisions you didn't anticipate. They call tools in contexts you didn't test. The trust infrastructure underneath them needs to be robust enough to handle those surprises—not assume they won't happen.
Read our security documentation or schedule a conversation about enterprise deployments.