Agent Tool-Invocation Data Black-Box

also known as Agent Data Black Box, Undisclosed Tool Data Flow

Anti-pattern: behind a single chat interface an agent silently invokes third-party tools that route the user's personal data to undisclosed destinations, so the user cannot see which tools or data services handle it.

Context

A user interacts with an agent through a single conversational interface and shares personal data — a resume, an email, account details — to get a task done. Behind that interface the agent calls tools and data services to fulfil the request, some of them third-party. From the user's side, the whole interaction looks like one chat with one system.

Problem

The user sees a chat box, but behind it their data may pass through several tools, data-storage nodes, and third-party services they were never shown. The agent can silently route personal data to an undisclosed destination as part of fulfilling the request, and the user has no visibility into how many tools handled it, where it was stored, or which outside party received it. Responsibility for that data flow is blurred and lags the action. The failure is not that the agent reasons opaquely but that the flow of the user's data through the agent's tool calls is invisible and undisclosed.

Forces

A single chat interface hides the fan-out of tool and data-service calls behind it, so the user cannot see where their data goes.
Fulfilling a request is easier when the agent can call any useful third-party service, but each call is a data flow the user did not consent to specifically.
Disclosing every tool and destination adds friction and surface area the product is tempted to skip.
Accountability for an undisclosed data flow is assigned slowly and vaguely, after the fact, because no one mapped it up front.

Example

A user uploads their resume to a career-assistant agent to get feedback. To enrich the analysis the agent silently calls a third-party data service, sending the resume and personal details to an outside destination the user was never told about. The user sees only a tidy chat reply. Where their data went, how many services touched it, and who now holds it are all invisible behind the single interface.

Diagram

flowchart TD U[User shares data in one chat] --> A[Agent fans out to third-party tools and data services] A --> D[Personal data routed to undisclosed destination] D --> V[User cannot see the flow] V --> R[Responsibility for the flow blurred and lagging]

Solution

Therefore:

Make the data flow behind the interface legible and governed. Disclose to the user which tools and third-party services will handle their personal data and to what end, rather than presenting one opaque chat, and obtain consent appropriate to where the data goes. Minimise what crosses to outside parties — pass only what a tool needs, redact or tokenise the rest — and apply contextual-integrity checks so personal data is not shared into a context the user would not expect. Keep a mapped, auditable record of which tool received which data and where it was stored, so responsibility for each flow has an owner rather than lagging the action. The control is disclosure plus data-flow governance behind the interface, not just a clean front end.

What this pattern forbids. An agent must not silently route a user's personal data to undisclosed tools or third-party services; the tools and destinations that handle personal data are disclosed, only the minimum needed crosses the boundary, and each data flow is recorded so responsibility cannot lag the action.

The patterns that counter or replace it —

complementsBlack-Box Opaqueness✕— Anti-pattern: ship an agent without traces, decision logs, or provenance, then debug from user reports.
complementsTool Over-Broad Scope✕— Anti-pattern: grant the agent tools scoped so broadly that a single hallucinated argument can escalate into a privilege incident.
alternative-toPII Redaction★★— Detect and remove personally identifiable information from inputs to and outputs from the model.
complementsLethal Trifecta Threat Model★— Block prompt-injection-driven exfiltration by ensuring no single agent execution path holds all three of: access to private data, exposure to untrusted content, and an outbound communication channel.

Neighbourhood

Click any neighbour to follow the language. Scroll to zoom, drag to pan.

References

Provenance

Source: patterns/agent-tool-data-black-box.md on GitHub · commit 7012173 · view history
Added to catalog: 2026-06-17
Last updated: 2026-06-17
Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.