Action Selector Pattern
Eliminate the feedback channel from tool outputs back into the agent's reasoning step by having the agent select actions from a fixed catalog rather than free-form generation over tool output.
Problem
When the model's next-action decision is influenced by tool output text, an attacker who plants instructions in tool output can drive the agent's subsequent tool calls — indirect prompt injection. Filtering tool outputs is unreliable; instructing the model to ignore embedded instructions does not survive clever payloads.
Solution
Split the agent into (a) an Action Selector that picks the next action from a fixed catalog given only the current goal and step number, and (b) an Output Handler that processes tool outputs into typed values that downstream steps can read but that never re-enter the Action Selector's prompt. Tool outputs cannot influence the next action choice, only the values consumed by the next action. Pair with dual-llm-pattern and context-minimization.
When to use
- Agent reads content from sources the operator does not control.
- Set of useful agent actions is finite and can be pre-declared.
- Outputs of tools can be reduced to typed values rather than free-form text the planner must read.
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.