export const slug = "stop-runaway-tool-calling-loop-guards";
Runaway tool calling is the fastest way to turn a “helpful” agent into a cost spike—or worse, a side‑effect generator that sends duplicate emails, creates duplicate CRM contacts, or re-opens tickets. If your Claude Skills workflow can call real tools (email, CRM, payments, internal APIs), you need loop control that doesn’t depend on model willpower.
Below are 7 loop guards you can implement today. The theme: treat tool usage as a governed workflow problem, not a prompt problem.
What runaway tool calling looks like (in 60 seconds)
Symptoms are usually obvious in logs:
- The agent calls the same tool repeatedly with near-identical arguments.
- Errors/timeouts trigger “try again” with no new information.
- You see duplicated external objects (two contacts, two payments, two emails).
- Costs climb because the agent never hits a crisp “done” condition.
The root cause is also consistent: no explicit stop condition + missing durable state, so the agent keeps “doing something” to feel productive.
Guardrail #1 — Make the stop condition explicit (not implied)
If your instruction is “create the contact and send an intro email,” your actual stop condition should be verifiable:
- Done when: exactly one CRM contact exists and one email was sent and both external IDs are recorded.
Write it like an invariant, not a vibe.
// Pseudocode: what “done” means for a step that has side effects
function isDone(state: {
crmContactId?: string;
emailMessageId?: string;
}) {
return Boolean(state.crmContactId && state.emailMessageId);
}
Anti-pattern: “keep trying until success.” That sentence creates infinite loops the moment a tool becomes flaky.
Guardrail #2 — Add a tool-call budget (hard cap + graceful degrade)
Set two caps:
- Per-step budget: e.g., max 3 tool calls in the Execute step.
- Per-run budget: e.g., max 15 calls total for the workflow run.
And decide what happens when the budget is hit:
- Escalate to human review
- Fall back to “draft only” (no send)
- Mark
needs_inputwith a clear error artifact
MAX_CALLS_PER_STEP = 3
calls = 0
for intent in tool_intents:
if calls >= MAX_CALLS_PER_STEP:
raise RuntimeError("Tool-call budget exceeded; escalate to review")
result = run_tool(intent)
calls += 1
Budgets turn “infinite failure modes” into “bounded incidents.”
Guardrail #3 — Separate plan from execute (and persist the plan)
A reliable pattern is plan-execute:
- Plan step produces a Tool Intents artifact.
- Execute step is the only place where tools may be called.
The intent record should include:
- tool name
- arguments
- expected success criteria
- a rollback/compensation note (if applicable)
{
"tool_intents": [
{
"tool": "crm.upsert_contact",
"args": {"email": "alex@acme.com", "name": "Alex"},
"success": "returns contact_id",
"compensation": "none (idempotent upsert)"
},
{
"tool": "email.send",
"args": {"to": "alex@acme.com", "template": "intro_v1"},
"success": "returns message_id",
"compensation": "send follow-up apology if duplicate"
}
]
}
Why this matters: when the agent loops, you can inspect whether it’s stuck in planning or execution, and you can enforce that the plan doesn’t change without new inputs.
Guardrail #4 — Enforce idempotency for side-effect tools
Any tool that writes to the outside world must be idempotent. If the underlying API supports idempotency keys (many payment and email APIs do), use them. If it doesn’t, you can simulate idempotency with your own “receipt” storage.
Receipt pattern: after a successful write, persist a receipt artifact containing the external ID (message-id, ticket-id, payment-id). On retry, check the receipt first.
// Pseudocode: safe email send with an idempotency key + receipt
const key = `intro-email:${leadId}:${templateVersion}`;
if (state.emailReceipt?.idempotencyKey === key) {
return state.emailReceipt.messageId; // already sent
}
const { messageId } = await email.send({
to: lead.email,
template: "intro_v1",
idempotencyKey: key,
});
state.emailReceipt = { idempotencyKey: key, messageId };
This single guardrail prevents the most expensive class of loop bugs: duplicate side effects.
Guardrail #5 — Add state + checkpoints between tool calls
Don’t make the agent infer “what happened” from chat history. Persist it.
At minimum, store:
- tool intents (what we intended to do)
- tool results (what happened)
- receipts (external IDs)
- current state (what we believe is true)
Then checkpoint after each write. If a timeout happens after the external system succeeded, you can resume safely without re-sending or re-creating.
This is where a white-box workflow system helps: steps produce explicit artifacts you can replay, diff, and audit.
Guardrail #6 — Detect loops structurally (diff-based + invariants)
You don’t need to “detect a loop” with vibes. Detect it with structure.
Stop the run if either condition holds:
- Arguments are unchanged across N attempts (e.g., 2 repeats).
- The “world state” did not change (no new external ID, no updated receipt).
def same_args(a, b):
return a["tool"] == b["tool"] and a["args"] == b["args"]
repeats = 0
for i in range(1, len(executed_calls)):
if same_args(executed_calls[i-1], executed_calls[i]):
repeats += 1
if repeats >= 2:
raise RuntimeError("Loop detected: repeated tool call with identical args")
This turns “mysterious thrashing” into a deterministic stop with a clear explanation.
Guardrail #7 — Make tool outputs boring: schemas, normalization, and timeouts
Agents loop more when tool outputs are:
- unstructured (free text)
- ambiguous (“success-ish”)
- inconsistent across retries
Make outputs boring:
- Validate tool results against a schema.
- Normalize errors into typed failures:
timeout,rate_limited,validation_error,auth_error. - Apply timeouts with a retry policy that’s tool-specific (not “retry everything”).
{
"type": "object",
"required": ["status"],
"properties": {
"status": {"enum": ["ok", "error"]},
"contact_id": {"type": "string"},
"error": {
"type": "object",
"properties": {
"kind": {"enum": ["timeout", "rate_limited", "auth_error", "validation_error", "unknown"]},
"message": {"type": "string"}
}
}
}
}
The less the agent has to interpret, the less it will improvise—and improvise itself into a loop.
Mini pattern: Create CRM contact + send intro email (loop-proof)
Here’s a compact, production-friendly step breakdown:
- Extract → parse lead fields (no tools)
- Plan → write Tool Intents artifact (no tools)
- Execute CRM write (idempotent) → upsert contact, store
crmContactId - Execute email send (idempotent) → send once, store
messageId - Verify → check stop condition; if not met, escalate (don’t “keep trying”)
In nNode terms, each step produces an inspectable artifact (plan, results, receipts, decision). That makes failures debuggable, retries safe, and side effects controlled.
Copy/paste operational checklist
Use this checklist for any workflow that touches real systems:
- “Done when…” stop condition is explicit and testable
- Per-step tool-call budget + per-run budget
- Plan/Execute separation (only Execute can call tools)
- Idempotency keys for every external write
- Receipt artifacts store external IDs (message-id, ticket-id, payment-id)
- Checkpoint after each side effect
- Loop detector: repeated args and/or unchanged world state
- Tool outputs: schema-validated + normalized errors + timeouts
- Escalation path when budgets/guards trigger
A soft next step
If you’re building Claude-powered automations that run every day, these guardrails are easier to maintain when your system is step-based, artifact-driven, and resumable by design. That’s the core idea behind nNode: a “white-box” way to build multi-agent workflows where every tool call is bounded, inspectable, and safe to retry.
If that sounds like what you need, take a look at nnode.ai.