# LLM Excessive Agency

- ID: javascript-llm-excessive-agency
- Severity: HIGH
- CWE: Missing Authorization (CWE-862)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express

## Description

Detects LLM implementations with excessive autonomy that can lead to unintended
consequences. OWASP LLM08 - Excessive Agency.

Excessive agency occurs when LLMs are granted:
- Ability to perform destructive operations without confirmation
- Auto-execution of LLM-generated code or commands
- Direct database modifications without approval
- Financial transactions without human oversight
- Email/communication sending without review

This rule detects:
- Auto-execution of tool calls without human approval
- Destructive operations (delete, update, send) without confirmation
- Autonomous agent loops without termination controls
- Missing human-in-the-loop for sensitive operations

## Detection Message

Excessive LLM agency detected: {issue_type}

## Remediation

Require human approval for sensitive operations and set iteration limits on agent loops.

```javascript
if (SENSITIVE_OPERATIONS.has(toolName)) {
  await queueForApproval(toolCall);
} else {
  await executeSafeToolCall(toolCall);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-862/llm-excessive-agency

## Documentation

[object Object]

## Related Rules

- **LLM Excessive Agency** [HIGH]: 
- **LLM Excessive Agency** [HIGH]: