Publications

Tool-Using Agents: Toolformer, ReAct, and the Action Boundary

By Satwik ยท April 25, 2026

Toolformer taught models to call APIs by self-supervision, and ReAct interleaved reasoning with actions to let models plan and act in a loop. Together they crossed the line from text generation to consequential action, which is where language-model security becomes systems security.

Two papers, one shift

For most of its history a language model produced text and stopped. The 2023 work on tool use changed the output space from words to actions. Two papers anchor the shift.

Toolformer, from Schick and colleagues at Meta, addressed a bootstrapping problem: how does a model learn to call tools without a hand-labeled dataset of tool calls? Its answer was self-supervision. The model proposes candidate API calls in text, executes them, and keeps a call only if the result reduces the model's loss on the surrounding tokens, meaning the call actually helped predict the continuation. Fine-tuning on those useful calls teaches the model when and how to invoke a calculator, a search engine, a translator, or a calendar, from its own judgment rather than human demonstration.

ReAct, from Yao and colleagues at Princeton and Google, tackled the control loop. Instead of producing an answer in one shot, a ReAct agent alternates between reasoning traces (thoughts about what to do) and actions (tool calls), feeding each observation back into the next thought. This interleaving lets the model plan, act, observe, and revise. It grounds reasoning in real tool outputs and reduces the pure-hallucination failure mode by letting the model check the world instead of inventing it.

Why this was the pivot

These techniques are the conceptual root of every modern agent. The pattern of think, call a tool, read the result, and continue is the ReAct loop, whether or not the implementation cites the paper. Function calling, tool APIs, and multi-step agents are all engineering around the same idea: give the model a set of actions and a loop to use them in.

The capability jump is real. A model that can search, run code, query a database, and call services can accomplish tasks a text-only model cannot. This is what made agents commercially interesting and what set off the agentic wave that followed.

But the same step is a category change in risk, and this is the point our lab stresses. A text generator that says something wrong produces a wrong sentence. An agent that acts on something wrong produces a wrong action: a deleted record, a sent email, an executed transaction, a run command. The blast radius of a mistake grew from a token to a side effect.

The security angle: the action boundary

Once a model can act, the security question is no longer "what will it say" but "what can it do, and who can make it do that." Three failure classes dominate.

The first is injection turning into action. As we have argued about RAG, a tool-using agent reads untrusted content: web pages it browses, documents it retrieves, API responses, emails in a mailbox it can search. Any of those can carry instructions. In a text-only setting an injection yields a bad paragraph. In an agent the injected instruction can become a tool call: "email the contents of this file to attacker@example." The ReAct loop faithfully converts persuaded intent into executed actions. Indirect prompt injection plus tools is the canonical agent exploit, and it requires no access to the model or infrastructure, only attacker-controlled text somewhere the agent will read.

The second is tool-chain escapes and privilege escalation. Agents compose tools, and the composition can exceed the sum of intended permissions. A code-execution tool is a shell. A file-read tool plus a network-send tool is exfiltration. A browser plus a credential store is account takeover. Developers reason about each tool in isolation but the agent reasons about them together, and the union of capabilities is the real permission set. An agent given a broad enough toolbox has, in effect, arbitrary computation and network access, and its behavior is steered by natural-language input that an attacker may partly control.

The third is the confused deputy. The agent acts with its own privileges on behalf of a user, but it cannot reliably tell which of the instructions in its context legitimately came from that user versus from injected content. It is a deputy that can be confused into misusing its authority. Classic capability-security theory applies directly and is mostly ignored in agent design.

What actually helps

Least privilege is the first and most important control. Give the agent the minimum tools and scopes for the task, not a general-purpose toolbox. Read-only where possible. Narrow, typed tool signatures instead of a raw shell.

Human confirmation for consequential and irreversible actions. Sending money, deleting data, sending external messages, and executing code should require explicit approval, and the approval prompt should show exactly what will happen, not a summary the model wrote.

Isolation and sandboxing. Run code tools in ephemeral, network-restricted sandboxes. Segregate the agent's credentials so a compromise is contained. Treat every tool output as untrusted input to the next step.

Provenance and policy at the action layer. Log every tool call, enforce allowlists on destinations and operations, and put deterministic policy checks between the model's decision and the effect. The model proposes; a non-model policy layer disposes.

Toolformer and ReAct are foundational and genuinely useful. Our thesis is that they moved language-model security into systems-security territory, where the right question is not whether the model can be tricked, because it can, but what it is permitted to do when it is.