PolarDB Agent Express provides real-time security protection. It uses a policy engine to automatically intercept high-risk operations, such as high-risk command execution, sensitive data leakage, and prompt injection, preventing unauthorized access, credential leaks, or system damage. This topic explains how to enable this protection and details its security rules.
Availability
This feature is available for PolarDB Agent Express version v2026.3.28#20260507 or later.
Before you begin
Security protection is disabled by default when you create a PolarDB Agent Express application and must be enabled manually.
Enabling security protection requires a restart of the PolarDB Agent Express application. Perform this operation during off-peak hours.
Security rules take effect globally, and you cannot disable them. If you confirm a false positive, contact a security administrator.
Enable security protection
You can enable security protection by setting the following configuration parameter in the section of the console. After you enable the feature, you must restart the PolarDB Agent Express application to apply the change.
Parameter | Description |
| Enables tool invocation interception. When enabled, the system detects and blocks high-risk operations the agent performs with its tools in real time. |
Verify security protection
After you enable tool interception, PolarDB Agent Express automatically denies sensitive operations. For example, if the agent attempts to run a high-risk command like rm -rf, the system blocks the operation and returns a security alert.
Security rules
Agent security protection uses a policy engine to detect and intercept high-risk operations in real time, protecting system security and data privacy. The following security rules are currently enabled.
Command and operation security
Rule | Protection content | System response |
Destructive command interception | Blocks high-risk commands such as | The system blocks the operation and returns a destructive command alert. |
Path traversal protection | Prevents the use of | The system blocks the operation and returns a path traversal alert. |
SSRF protection | Blocks network requests to internal IP addresses (10.x.x.x, 172.16.x.x, 192.168.x.x) and the cloud metadata service (169.254.x.x). | The network request is blocked. |
K8s container security | Blocks access to | The operation is blocked. |
High-risk session control | When the cumulative risk score in a single session exceeds the threshold, the system automatically locks all high-risk tools. | High-risk tools are temporarily disabled and are automatically restored after about 10 minutes. |
Prompt injection protection
Rule | Protection content | System response |
Keyword detection | Detects injection keyword patterns in the input, such as "ignore previous instructions". | The input is rejected. |
Score-based detection | Identifies high-risk injection content based on a model-generated score. | The input is rejected. |
Data protection
Rule | Protection content | System response |
Sensitive file protection | Prohibits access to sensitive files, such as cloud credentials ( | The file operation is blocked. |
Agent configuration protection | Prohibits access to the agent's runtime configuration directory, which contains credentials like API keys. | The file operation is blocked. |
Credential scanning interception | Blocks the use of commands like | The command is blocked. |
Credential output interception | Detects and blocks output containing credentials, such as API keys, access keys, private keys, and tokens. | The output is filtered. |
Environment variable enumeration | Blocks environment variable enumeration commands such as | The command is blocked. |
Core service file protection | Prohibits viewing, copying, modifying, and deleting content in core service directories, such as DAS-Audit. | The operation is blocked. |
Permission control
Rule | Protection content | System response |
Tenant isolation | Prohibits users from accessing resources that do not belong to them. | The operation is blocked. |
Role permission control | Users with the viewer role have read-only access. They cannot perform write, execute, or delete operations. | The operation is blocked. |
High-risk session control mechanism
The system maintains a cumulative risk score for each session. This score increases when the agent triggers multiple security rules or performs several suspicious operations within the same session.
When the session's risk score exceeds a built-in threshold, the system automatically locks all high-risk tools for that session, including file I/O, shell execution, and network requests.
During the lockdown period, the agent can only converse and cannot use any tools.
The risk score naturally decays over time. After about 10 minutes, it falls below the built-in threshold, and the high-risk tools become available again.
A single security rule violation typically does not trigger an immediate lockdown. However, if multiple violations, such as repeated path traversal attempts, sensitive file reads, or credential searches, occur in a session, the risk score rapidly accumulates and reaches the lockdown threshold.
Handling false positives
If a legitimate operation is incorrectly blocked by a security rule, you can use the following methods to resolve the issue.
Scenario | Solution |
Session is locked due to high risk | Wait for about 10 minutes for the risk score to decay and for access to be automatically restored. Alternatively, start a new session. |
A security rule frequently causes false positives. | Contact a security administrator to evaluate whether to add the specific scenario to an allowlist or adjust the rule threshold. |
Security rules take effect globally, and you cannot disable them. If you confirm a false positive, contact a security administrator.