alt Hacker NewsWhy not just demand agents that don't expose the dangerous tools in the first place? Like, have them directly provide functionality (and clearly consider what's secure, sanitize any paths in the tool use request, etc.) instead of punting to Bash?
Replies
simonw • today at 3:40 AM
Because if you give an agent Bash it can do anything they can be achieved by running commands in Bash, which is almost anything.
➕ show 2 replies
VTimofeenko • today at 3:53 AM
Tools may become dangerous due to a combination of flags. `ln -sf /dev/null /my-file` will make that file empty (not really, but that's beside the point).
➕ show 1 reply
lilEndiansGame • today at 4:18 AM
Because the OS already provides data security and redundancy features. Why reimplement?
Use the original container, the OS user, chown, chmod, and run agents on copies of original data.
cindyllm • today at 3:39 AM
[dead]
Because it's impossible for fundamental reasons, period. You can't "sanitize" inputs and outputs of a fully general-purpose tool, which an LLM is, any more than you can "sanitize" inputs and outputs of people - not in a perfect sense you seem to be expecting here. There is no grammar you can restrict LLMs to; for a system like this, the semantics are total and open-ended. It's what makes them work.
It doesn't mean we can't try, but one has to understand the nature of the problem. Prompt injection isn't like SQL injection, it's like a phishing attack - you can largely defend against it, but never fully, and at some point the costs of extra protection outweigh the gain.