Comment by oulipo2

"The principle is that the agent doesn't need code changes, including skills/MCPs - it just accesses systems."

That's why you're having safety issues.

The real (and boring, and tedious) way to do it IS to create a unique way (API, MCP, whatever) for the agent to access your data / infra in a secure way.

Think about it as "typing" in language. Sure it's boring to have to put all the type info (even though in many case it makes dev easier too, because it forces to construct stuff cleanly), but then once it typechecks, you're relatively sure that it's doing what it's supposed to.

Here it would be the same. You build basic building blocks that you know are safe for the agent to access, and you let it compose them