It gets significantly harder to isolate the authentication details when the model has access to a shell, even in a container. The CLI tool that the model is running may need to access the environment or some credentials file, and what's to stop the model from accessing those credentials directly?
replyIt breaks most assumptions we have about the shell's security model.
Couldn't that be solved by whitelisting specific commands?
replySuch a mechanism would need to be implemented at `execve`, because it would be too easy for the model to stuff the command inside a script or other executable.
replyGive it a try, and challenge yourself (or ChatGPT) to break it.
replyYou'll quickly realize that this is not feasible.