logoalt Hacker News

megoustoday at 10:36 AM0 repliesview on HN

The problem is not that you can make LLM perform whatever tool calls you want.

The problem is that those tool calls are not scoped to what you can access. Eg. tool call should not allow the LLM to access anything that you should not be able to access if you had access to the tool calls directly.

So in a sense the problem is not string interpretation confusion (like with SQL injection), but data access controls.