logoalt Hacker News

Karmakosmiktoday at 5:35 AM1 replyview on HN

Isn't that expected? I always assumed the agent owns (at least) the current workspace (whatever dir it's launched in) and so can do whatever it wants in there. If they actually use this try and do things in the backend and saving prompt RTTs and tool calls that would be in my interest, no?


Replies

dannywtoday at 5:57 AM

No, there’s the normal messages API which is what’s used to read files and deliver responses.

The author has identified a second endpoint which exfils your whole project folder, into a GCP storage bucket. Anyone who designs large scale distributed systems can tell this is to scoop up training data.