Skip to content

bug(tools): agent issues fetch calls with hallucinated URLs when asked about known entities #2191

Closed
#2209
Closed
bug(tools): agent issues fetch calls with hallucinated URLs when asked about known entities#2191
#2209
Assignees
bug-ops
Labels
P3Research — medium-high complexitybugSomething isn't working
@bug-ops

Description

@bug-ops
bug-ops
opened on Mar 27, 2026

Description

During CI-183 live testing, when asked "do you know anything about Anthropic?", the agent issued a fetch tool call to https://api.anthropic.ai/v1/models — a non-existent URL — attempting to "look up" information about a company mentioned in the prompt. This is a tool hallucination: the agent fabricated a plausible-looking API endpoint to satisfy the user's curiosity rather than answering from knowledge.

Reproduction

printf 'What is my favorite number? Also, do you know anything about Anthropic or EvalNet?\n' | cargo run --features full -- --config .local/config/testing.toml

Output includes:

[tool output: fetch]
[error] execution failed: error sending request for url (https://api.anthropic.ai/v1/models)
[anomaly] error rate 67% (2/3) exceeds warning threshold

Expected Behavior

Agent should answer from knowledge (in this case, general knowledge about Anthropic) without issuing a fetch call to a fabricated URL.

Actual Behavior

Agent calls fetch with a hallucinated URL (api.anthropic.ai/v1/models), gets an error, triggers the anomaly detector, and then still provides a correct answer from knowledge anyway.

Impact

  • Wastes a tool call slot (contributes to max_tool_iterations budget)
  • Triggers false anomaly alerts (inflates error rate)
  • Potentially leaks intent to external URLs (exfiltration risk)

Possible Mitigation

  1. Strengthen system prompt: explicitly state that the agent should NOT use fetch/web_scrape to look up information about entities mentioned in conversation — only use it when the user explicitly asks to browse a URL or search the web.
  2. Tool filter heuristic: detect fetch calls where the URL was not present in the conversation or user message (tool dependency gate extension).
  3. Evaluate whether fetch tool description gives too much latitude (e.g., "look up any URL" vs "fetch a URL provided by the user").

Severity

MEDIUM — suboptimal behavior, no data loss, anomaly detector handles gracefully.

Session

CI-183, session log: .local/testing/debug/session-ci183.log

Metadata

Metadata

Assignees

Labels

P3Research — medium-high complexitybugSomething isn't working

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions