diff --git a/backend/app/api/tools.py b/backend/app/api/tools.py
index ac1869a..761c354 100644
--- a/backend/app/api/tools.py
+++ b/backend/app/api/tools.py
@@ -8,7 +8,7 @@ from __future__ import annotations
 import logging
 from typing import Any, Dict, List, Optional
 
-from fastapi import APIRouter, Depends, HTTPException, Query
+from fastapi import APIRouter, Depends, HTTPException, Query, Path
 from pydantic import BaseModel
 from sqlalchemy.orm import Session
 
@@ -145,7 +145,10 @@ async def list_builtin_tools():
 
 
 @router.get("/{tool_id}", response_model=ToolResponse)
-async def get_tool(tool_id: str, db: Session = Depends(get_db)):
+async def get_tool(
+    tool_id: str = Path(..., pattern=r"^[0-9a-f-]{20,}$"),
+    db: Session = Depends(get_db)
+):
     """获取工具详情。"""
     tool = db.query(Tool).filter(Tool.id == tool_id).first()
     if not tool:
@@ -200,8 +203,8 @@ async def create_tool(
 
 @router.put("/{tool_id}", response_model=ToolResponse)
 async def update_tool(
-    tool_id: str,
     tool_data: ToolCreate,
+    tool_id: str = Path(..., pattern=r"^[0-9a-f-]{20,}$"),
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -243,7 +246,7 @@ async def update_tool(
 
 @router.delete("/{tool_id}")
 async def delete_tool(
-    tool_id: str,
+    tool_id: str = Path(..., pattern=r"^[0-9a-f-]{20,}$"),
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -304,7 +307,7 @@ async def test_code_tool(
 
 @router.post("/{tool_id}/use")
 async def record_tool_use(
-    tool_id: str,
+    tool_id: str = Path(..., pattern=r"^[0-9a-f-]{20,}$"),
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):