HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ratnaditya

no profile record

Submissions

[untitled]

1 points·by ratnaditya·2 maanden geleden·0 comments

Prompt eval cues predicted refusal shifts across 32k LLM rollouts

medium.com
1 points·by ratnaditya·2 maanden geleden·0 comments

[untitled]

13 points·by ratnaditya·3 maanden geleden·0 comments

[untitled]

1 points·by ratnaditya·3 maanden geleden·0 comments

Show HN: AgentWard – After an AI agent deleted files, I built a runtime enforcer

github.com
1 points·by ratnaditya·5 maanden geleden·1 comments

comments

ratnaditya
·2 maanden geleden·discuss
[flagged]
ratnaditya
·3 maanden geleden·discuss
[dead]
ratnaditya
·5 maanden geleden·discuss
[dead]
ratnaditya
·5 maanden geleden·discuss
The kernel-level approach is the right answer for protecting the host from the agent — landlock and seatbelt give you deterministic enforcement that the LLM can't reason its way around. What I find interesting is the complementary layer above this: even with a perfect sandbox, you still need application-level policy for what the agent is allowed to do within its permitted scope. A sandboxed agent can still send all your emails or delete all your files if those operations are within its allowed syscalls. The two layers solve different problems and both seem necessary.
ratnaditya
·5 maanden geleden·discuss
The hash-chained audit trail is a nice touch — append-only logs are underrated for agent governance. Curious how you handle the policy definition UX for teams without security backgrounds. JSON rules are expressive but require knowing what to block in advance. Most developers don't know their risk profile until after something goes wrong — which is part of why I think automated scanning before policy definition matters. Does AgentBouncr have any way to suggest policies based on what tools the agent actually has access to?
ratnaditya
·5 maanden geleden·discuss
The supply chain angle is the right framing — the typosquat example with mcp-servr-github is exactly the kind of thing that's hard to catch manually. One thing I've been thinking about in this space: static scanning at install time is necessary but not sufficient. A server can pass a clean scan and still behave dangerously at runtime — either because it changes its tool descriptions after installation (the MCP rug pull attack Invariant Labs documented), or because two individually safe tools create a dangerous combination when chained together. Email access alone is fine. Web browser alone is fine. Together they're a data exfiltration path that no static scanner would flag. Curious whether MCPShield has any plans to address chaining and runtime behavior, or if the focus is intentionally on the pre-deployment supply chain problem?