LLM06:2025Excessive Agency
Slide 15 of 27
Part 3 · ScenariosSlide 15
Slide 15 · Scenario 2
The document summarizer that can also delete.
OWASP’s second scenario — deprecated plugins and unnecessary write access.
OWASP SCENARIO #2
Document Agent with Modify/Delete Access
An LLM agent is built to summarize uploaded documents. The developer chooses a plugin that, for convenience, provides read, write, and delete functions. The agent only uses read. Later, an updated plugin is deployed — but the old one is never deregistered. Both are running. A prompt injection in a crafted document the agent summarizes instructs it to call the delete function on specific files. All project documents for the last quarter are purged before anyone notices.
Why it matters: Two failures compounded: the agent had delete access it didn’t need, and a deprecated plugin was left running. Either alone is a risk. Together they created an irreversible data-destruction event triggered by a single crafted PDF.
The Fix

Restrict plugins to read-only functions. Maintain an inventory of all registered plugins and deregister deprecated ones immediately. High-impact operations like delete should require explicit human confirmation even if the plugin supports them.

← BackNext → Scenario 3: The shell plugin
📄 View sources for this lesson