For these agentic AI systems, like a human operator, the LLM needs to have a wide variety of operations available to it, gated by permissions and authentication. They should be calling APIs. They should be making DB queries with RLS. The reasoning model is to identify which APIs to use when and in which order… not to execute arbitrary code in prod. The same expected of a human screwing around with prod.
Leaking private repos is occurring not because an LLM is involved, but because the LLM isn’t being required to forward the authentication requirement from the user, and engaging the APIs with that limited permission sets. And it would be just as useful having had that limitation in place
The LLM is currently running around like a level 1 tech support holding admin creds, and you’re just hoping they doesn’t do anything stupid with them by giving them a bunch instructions on what not to do.
I think prompt injection vs sql injection is actually not far off — both are the direct results of blindly trusting user input for no particular reason and entirely unnecessarily, with a system that has far more power than it needs to do the task it was meant to do. It also has the same incorrect “solution” given out — sanitize your inputs — instead of correcting the problem at the source (why is an agent for repo X able to read repo Y in the first place?)
Prompt injection in the non-agentic scenario — like getting an LLM to answer questions from its training you don’t want it answering — is inevitable and unavoidable. But things like TFA, deleting prod, etc are well within reach
Leaking private repos is occurring not because an LLM is involved, but because the LLM isn’t being required to forward the authentication requirement from the user, and engaging the APIs with that limited permission sets. And it would be just as useful having had that limitation in place
The LLM is currently running around like a level 1 tech support holding admin creds, and you’re just hoping they doesn’t do anything stupid with them by giving them a bunch instructions on what not to do.
I think prompt injection vs sql injection is actually not far off — both are the direct results of blindly trusting user input for no particular reason and entirely unnecessarily, with a system that has far more power than it needs to do the task it was meant to do. It also has the same incorrect “solution” given out — sanitize your inputs — instead of correcting the problem at the source (why is an agent for repo X able to read repo Y in the first place?)
Prompt injection in the non-agentic scenario — like getting an LLM to answer questions from its training you don’t want it answering — is inevitable and unavoidable. But things like TFA, deleting prod, etc are well within reach