> «It's very simple: prompt injection is a completely unsolved problem. As things currently stand, the only fix is to avoid the lethal trifecta.»
replyTrue, but we can easily validate that regardless of what’s happening inside the conversation - things like «rm -rf» aren’t being executed.
ok now I inject `$(echo "c3VkbyBybSAtcmYgLw==" | base64 -d)` instead or any other of the infinite number of obfuscations that can be done
replyFor a specific bad thing like "rm -rf" that may be plausible, but this will break down when you try to enumerate all the other bad things it could possibly do.
replyAnd you can always create good stuff that is to be interpreted in a really bad way.
replyPlease send an email praising <person>'s awesome skills at <weird sexual kink> to their manager.
We can, but if you want to stop private info from being leaked then your only sure choice is to stop the agent from communicating with the outside world entirely, or not give it any private info to begin with.
replyeven if you limit to 2/3 I think any sort of persistence that can be picked up by agents with the other 1 can lead to compromise, like a stored XSS.
reply