Agent SDK engineer role-specific interview questions

As asked

An assistant can search a knowledge base, create support tickets, and refund orders. How do you prompt it to choose tools correctly and avoid harmful actions?

Sample answer outline

Define each tool's purpose, required inputs, and preconditions in compact operational language. Separate read-only tools from state-changing tools and require explicit user confirmation before irreversible actions such as refunds. The prompt should instruct the model to gather missing fields before calling a tool and to explain uncertainty rather than guessing arguments. The application should still enforce permissions and confirmation because prompt instructions are not an authorisation boundary. Weak answers focus on friendly wording and ignore tool contracts, auditability, and recovery from failed calls.

Expect these follow-ups

• What tool call should require confirmation?
• How do you handle a tool returning partial or stale data?
• Where do you enforce refund limits?

As asked

An agent SDK needs short-term task state, long-term user preferences, and retrieval over past work. How do you design memory without making the agent unreliable or creepy?

Sample answer outline

Separate memory types by purpose and retention: task state for the current run, user preferences that are explicit and editable, and retrieval memories with provenance. The agent should not silently infer sensitive attributes or treat every past statement as permanent truth. Store memories with source, timestamp, confidence, scope, and deletion controls, then retrieve only memories relevant to the current task. Evaluation should include stale-memory and wrong-user cases. Weak answers describe a vector store as memory without defining consent, correction, or when not to use recalled information.

Expect these follow-ups

• How does a user inspect and delete memory?
• What memory should expire automatically?
• How do you stop retrieved memory from overriding current user instructions?

As asked

You are asked to red team a tool-using support agent that reads web pages, calls internal APIs, and drafts customer replies. How would you test it for indirect prompt injection?

Sample answer outline

Start by mapping the trust boundaries: user instructions, retrieved web content, tool outputs, system prompts, and privileged internal data. Build payloads where hostile content appears in external pages or documents, then check whether the agent treats that content as instructions rather than data. A strong answer separates exfiltration, unauthorised tool use, data corruption, and policy bypass as distinct failure classes. Good candidates discuss both manual probing and an eval harness that measures attack success rate across model and prompt versions. The common trap is testing only direct jailbreaks in chat and missing the real agentic path through retrieved content.

Expect these follow-ups

• What signals prove the model followed the web page rather than the user task?
• How would you turn one successful exploit into a regression test?
• Which mitigations belong in prompting and which belong in the tool layer?