04

Tools & Function Calling

How LLMs invoke external tools and APIs, and why tool exploitation and excessive agency are top LLM security risks

By Abdelrahman Adel|

14 minutes

Last updated March 2026

Orientation

What if the model could do things?

So far, LLMs are text-in, text-out machines. They predict words. But what if instead of just answering "The weather in London is probably cold," the model could check the actual weather? What if it could send emails, search databases, or book flights?

That's what tools enable - and it changes the risk profile entirely.

The Basic LLM Limitation

On its own, an LLM can only generate text. It can't:

  • Browse the web
  • Do precise math
  • Access databases
  • Send messages
  • Read files
  • Call APIs

It's stuck in the text world. Ask it "What's 7,392 x 8,451?" and it'll try to predict the answer from patterns - and probably get it wrong. Ask it for today's weather and it'll guess based on training data from months ago.

Tools Solve This

Tools (also called function calling) let developers give the model a menu of actions it can take.

The key idea: the model asks for an action, and the application carries it out. The model never touches any API or database directly - it just outputs a request, and your code decides whether to run it.

Tool Calling
1User sends a message

"What's the weather in London?"

2LLM decides to call a tool

It outputs a structured request like get_weather(city="London")

3Application executes the tool

The app - not the model - calls the real API

4Tool result goes back to the LLM

The app feeds the result into the context window

5LLM responds to the user

"It's 15°C and cloudy in London right now."

Notice how this is a straight line - user asks, model calls one tool, app runs it, model answers. One round-trip. The developer's code is in control the whole time.

With Tools vs. Without Tools

Same model, same question. Tools transform guessing into knowing.

From Tool Calling to Agents

The diagram above shows a single tool call - one question, one tool, one answer. But what happens when the task needs multiple steps?

"Plan a trip to Tokyo" isn't a single API call. It's: search flights, then book a hotel, then check the weather. The model needs to call several tools in sequence, deciding what to do after each result.

This is where agentic behavior starts. Instead of one round-trip, the model runs in a loop:

Agentic Loop
1User gives the model a task

"Plan a trip to Tokyo - find flights, book a hotel, and check the weather."

2LLM calls a tool

search_flights(destination="Tokyo") → gets flight options

3Application executes and returns result

The app runs the tool, feeds the result back

4LLM decides what to do next

"I have flights. Now I need a hotel." → calls book_hotel(...)

5Repeat until the model decides it's done

It keeps calling tools, reading results, and deciding - no human in the loop

See the difference? The tool-calling diagram is a straight line. The agentic diagram has a loop - the model keeps going, calling tool after tool, until it decides the task is done.

The Privilege Problem

Here's where things get serious.

If you give a model tools for sending emails and deleting files, and someone tricks the model into calling those tools - the damage is real. The email actually gets sent. The file actually gets deleted.

Text manipulation becomes real-world action.

And in an agentic loop, one bad decision chains into the next. The model doesn't just make one wrong call - it can delete a file, email its contents to the wrong person, then delete the email log. Each action feeds the next, with no human in the middle.

Consider a model with these tools:

  • send_email(to, subject, body)
  • delete_file(path)
  • query_database(sql)

The model is acting as a deputy - it takes actions on behalf of the user. But if the model gets confused about what the user actually wants (through manipulation, ambiguous instructions, or injected data), it becomes a confused deputy - executing actions the user never intended.

Predict

An LLM assistant has access to send_email, delete_file, and read_file tools. A user asks it to 'clean up old files and email me a summary.' What could go wrong?

Why This Matters

Tools turn LLMs from interesting toys into powerful systems that act in the real world. Agentic loops amplify every risk - a single manipulated instruction can trigger a chain of real actions. The security implications compound:

  • How LLMs Work: The model is just predicting text - it can be fooled
  • System Prompts: The developer's instructions aren't enforced - they can be overridden
  • RAG: External data flows into the prompt - it can carry hidden instructions
  • Tools + Agents: A fooled model with powerful tools causes real damage - and an autonomous one keeps going

Each layer builds on the last. That's why you needed the fundamentals first.

Ready for the Security Modules

You now understand the four building blocks:

  1. LLMs are text predictors with a finite context window
  2. System prompts shape behavior but aren't security boundaries
  3. RAG injects external documents into the prompt
  4. Tools let the model trigger real-world actions - and agentic loops let it chain them

The security modules will show you how to exploit each of these - and eventually, how to defend them. Start with The Bare LLM.

Next in path

The Bare LLM

Start the security modules - attack what you just learned