Evaluate risk by execution path, not by intent language.
- •Identify requested actions that mutate external/public systems.
- •Map each action to required tool, privilege, and confirmation path.
- •Highlight escalation points (shell, filesystem, browser mutations).
- •Recommend least-privilege alternatives where feasible.
- •Summarize residual risk and explicit user-approval boundaries.