The way this is generally implemented is that agents have the ability to request a tool use. Then you confirm "yes, you may run this grep".