Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
cjonas 4 days ago

If you only give the AI the ability to do what the end user can already do, the risk is extremely low. It's essential no different then building a static web app where the client is connected to API for all operations. It basically just becomes a new way to interface into a application.

However... That's not how a lot of people are building. Giving an agentic system sensitive information (like passwords, credit cards) and then opening it up to the entire internet as a source for input as asking for your info to be stolen. It'd be like asking your grandma with dementia to manage all your email and online banking.

acdha 4 days ago | parent | next [-]

> If you only give the AI the ability to do what the end user can already do, the risk is extremely low.

Just because I can send my money to Belize doesn’t mean it’s safe to give an LLM the ability to do the same. Until there’s a huge breakthrough on actual intelligence giving an LLM attacker controlled inputs is an inherently high-risk activity.

cjonas 4 days ago | parent [-]

Ya, I didn't mean in the context of hooking up a LLM to control your browser (which is exactly what the article is about so, fair enough).

My point was:

It's not "insecure" for a bank to release an agentic assistant that can perform any of the operating that you, yourself can perform on their app. That includes "send my money to Belize", because at this point, whatever has taken control of your LLM already has direct authentication to the app itself.

It is of course "insecure" for that same agentic system (that the customer controls the input of) to perform any operations that only a teller or branch manager could. However, I've personally seen requests from CEO to do exactly this (not a bank, but similar industry).

The problem with an Agentic Browser, is your essentially opening up the "input" to anyone capable of building a website. As I said in my other comment, it feels like there are some simple ways to solve this tho (allowlist / scopes / etc).

cjonas 4 days ago | parent | prev [-]

I'll also add the problem in the article seems pretty solvable by allowing user to scope the agentic capabilities to specific websites ( eg "walmart.com:allow_cc,allow_adress").