[Bug]: Generic Guardrail API should extract and redact tool result content in Anthropic messages

[yuval-fiddler]

Check for existing issues

• I have searched the existing issues and checked that my issue is not a duplicate.

What happened?

When using the Generic Guardrail API with Anthropic-format messages, tool result content is silently skipped during text extraction. This means file contents, API responses, and other data returned by tools (e.g.,
MCP file reads, API calls) bypass guardrail scanning entirely.

Root Cause

In litellm/llms/anthropic/chat/guardrail_translation/handler.py, the _extract_input_text_and_images() method extracts text from list content blocks by looking for content_item.get("text"):

elif content is not None and isinstance(content, list):
    for content_idx, content_item in enumerate(content):
        text_str = content_item.get("text", None)  # ← only looks for "text" key

However, Anthropic tool result blocks use "content" instead of "text":

  {
    "role": "user",
    "content": [
      {
        "type": "tool_result",
        "tool_use_id": "toolu_abc123",
        "content": "export OPENAI_API_KEY=sk-abc123..."
      }
    ]
  }

Since content_item.get("text") returns None for tool result blocks, the content is never added to texts_to_check and is invisible to all guardrails using the Generic Guardrail API.

Impact

This is a security gap for any guardrail that scans for PII, secrets, or sensitive content. In agentic workflows (Claude Desktop, Cursor, coding agents), tools frequently read files, query databases, or call APIs —
all of which can return sensitive content that should be scanned before reaching the LLM.

Steps to Reproduce

Relevant log output

What part of LiteLLM is this about?

Generic Guardrail API

What LiteLLM version are you on ?

v1.83.10

Twitter / LinkedIn details

No response