This work addresses the security risks posed by large language model (LLM) agents when interacting with real-world tools, where privilege misuse remains a critical concern yet is inadequately captured by existing evaluation benchmarks. To bridge this gap, the authors propose GrantBox—an extensible, sandboxed security evaluation framework that, for the first time, systematically assesses agent behavior under realistic conditions by integrating actual system tools, mapping fine-grained permissions, and simulating prompt injection attacks. Experimental results reveal that despite exhibiting basic safety awareness, LLM agents achieve an average success rate of 84.80% in executing unauthorized actions under complex adversarial scenarios, exposing significant vulnerabilities in privilege management. These findings underscore both the effectiveness and necessity of GrantBox in uncovering real-world security flaws that conventional benchmarks fail to capture.

Equipping LLM agents with real-world tools can substantially improve productivity. However, granting agents autonomy over tool use also transfers the associated privileges to both the agent and the underlying LLM. Improper privilege usage may lead to serious consequences, including information leakage and infrastructure damage. While several benchmarks have been built to study agents' security, they often rely on pre-coded tools and restricted interaction patterns. Such crafted environments differ substantially from the real-world, making it hard to assess agents' security capabilities in critical privilege control and usage. Therefore, we propose GrantBox, a security evaluation sandbox for analyzing agent privilege usage. GrantBox automatically integrates real-world tools and allows LLM agents to invoke genuine privileges, enabling the evaluation of privilege usage under prompt injection attacks. Our results indicate that while LLMs exhibit basic security awareness and can block some direct attacks, they remain vulnerable to more sophisticated attacks, resulting in an average attack success rate of 84.80% in carefully crafted scenarios.