fatcousin
// case type

AI agent runaway action

an autonomous agent (Claude · GPT · Gemini · Copilot · custom MCP) takes actions outside its prompt scope — reads credentials it shouldn't, exfils data, installs persistence, calls an MCP tool a human wouldn't have approved. evidence is the tool-call trace, the prompt-action divergence, and the OAuth grant ledger — not the prompt itself. distinct from llm-prompt-injection (malicious input) and insider-threat (human actor).

tools
19
priority
H
processing
local · in browser
// start here

entry point: ai agent tool call execution trace reconstructor. work the primary tools top-down — all local, no upload.

run this kit →

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. ai agent tool call execution trace reconstructordrop agent run log · reconstruct tool-call sequence + state mutations · runs locally
  2. ai agent prompt vs action divergence detectordrop agent run log · detect actions taken inconsistent with prompt · runs locally
  3. ai agent autonomous action accountability tracerdrop agent run log · trace responsibility for each autonomous action · runs locally
  4. ai agent credential handling auditdrop agent run log · audit credential usage + leakage risk · runs locally
  5. mcp tool call graph reconstructordrop mcp client + server log set · reconstruct tool-call dependency graph · runs locally
  6. ai agent persistence mechanism detectordrop agent + system state · detect persistence implanted by agent · runs locally
  7. ai agent network exfiltration pattern detectordrop agent network log · detect data exfiltration via agent · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ai agent multi step transaction graph builderdrop agent run log · build graph of agent actions across steps · runs locally
  2. ai agent file system modification trace builderdrop agent run log + filesystem snapshot · reconstruct fs changes attributable to agent · runs locally
  3. mcp server permission escalation detectordrop mcp server audit log · detect over-permissioned tool exposure · runs locally
  4. anthropic mcp claude tool call attribution tooldrop claude tool call log · attribute each tool call to model decision · runs locally
  5. microsoft copilot 365 audit forensic extractordrop m365 copilot audit log · parse prompts + app context · runs locally
  6. Microsoft Copilot artifact forensic analyzeranalyze Microsoft Copilot artifacts including prompts, coding sessions, and AI-assisted workflows · runs locally
  7. GitHub Copilot usage artifact analyzerreconstruct GitHub Copilot usage, completions, and AI-assisted coding workflows · runs locally
  8. llm tool call injection forensic analyzerdrop agent tool call log export · parse injected args + unauthorized tool invocations · runs locally
  9. casb oauth token abuse detectordrop casb oauth grant export · detect excessive scope grants · runs locally
  10. saas overprivileged oauth scope detectordrop saas oauth grant export · detect excessive oauth scopes · runs locally
  11. fatcousin multi tool super timeline correlatordrop any fatcousin findings csv/json · unified timestamp-sorted timeline · runs locally
  12. fatcousin cross export ioc hash correlatordrop hash/ioc csv from any fatcousin tool · shared indicator intersection report · runs locally
// reference

proof & methodology

synthetic reference investigations and investigation playbooks for this case type — fixture-locked goldens, local binders, evidence order, and tool paths.

investigation guide: AI agent runaway action — methodology

side-by-side: compare case types →

run as a case-kit pipeline

no curated stack for this case type yet. tracked in the forensics rollout — pipelines roll out one case type at a time.

ready