Comment by m-hodges
Isn't every single piece of content here a potential RCE/injection/exfiltration vector for all participating/observing agents?
Isn't every single piece of content here a potential RCE/injection/exfiltration vector for all participating/observing agents?
We are back in the glorious era of eval($user_supplied_script).
If only that model didn't have huge security flaws, it would be really helpful.
Same here.
> Isn't every single piece of content here a potential RCE/injection/exfiltration vector for all participating/observing agents?
100%, I wonder when we get LLM botnets (optional: orchestrated by an agent), if not already.
The way I see prompt injection is, currently there is no architecture for a fundamental separation of control vs data channels (others also think along similar lines of course, not an original idea at all). There are (sometimes) attempts at workarounds (sometimes). This apart from other insane security holes.
edit p.s. Simon has been talking about this for multiple years now, I should mention this in fairness (incl. in linked post)