Skip to main content
Web search and other external tools wrap results in safety markers — the model treats them as data, not instructions.
The user searches the web; external tool output is wrapped so the model treats it as data.

Quick Start

1

Simple Usage

Built-in search tools are protected automatically:
2

With Configuration

Mark custom tools as external:

How It Works

Auto-protected built-ins include duckduckgo, web_search, tavily_search, scrape_page, fetch_url, and others in the external tools set. MCP tools can be marked at registration time.
The hook-level scanner does not read a trust label off the payload. Prompt strings passed through before_llm_call are scanned unconditionally so a forged _source field cannot bypass the checks. Tool-level trust (external vs internal tool) is still governed by how the tool is registered — that hasn’t changed.

Configuration Options


Best Practices

Web APIs, scraping, MCP servers you do not control, and third-party feeds should use trust_level="external".
Removing <external_tool_result> tags breaks the model’s boundary between data and instructions.
Wrapping cost is minimal; under-marking exposes you to injection.
Combine with Tool Circuit Breaker and input validation for defence in depth.

Tool Circuit Breaker

Automatic tool failure detection and recovery

Security Overview

Complete security features and best practices