| ▲ | VTimofeenko 15 hours ago |
| Tools may become dangerous due to a combination of flags. `ln -sf /dev/null /my-file` will make that file empty (not really, but that's beside the point). |
|
| ▲ | zahlman 14 hours ago | parent [-] |
| Yes. My proposal is that the part of the system that actually executes the command, instead of trying to parse the LLM's proposed command and validate/quote/escape/etc. it, should expose an API that only includes safe actions. The LLM says "I want to create a symbolic link from foo to bar" and the agent ensures that both ends of that are on the accept list and then writes the command itself. The LLM says "I want to run this cryptic Bash command" and the agent says "sorry, I have no idea what you mean, what's Bash?". |
| |
| ▲ | LudwigNagasena 14 hours ago | parent [-] | | That's a distinction without a difference, in the end you still have an arbitrary bash command that you have to validate. And it is simply easier to whitelist directories than individual commands. Unix utilities weren't created with fine-grained capabilities and permissions in mind. Wherever you add a new script or utility to a whitelist, you have to actively think whether any new combination may lead to privileges escalation or unintended effects. | | |
| ▲ | zahlman 3 hours ago | parent [-] | | > That's a distinction without a difference, in the end you still have an arbitrary bash command that you have to validate. No, you don't. You have a command generated by auditable, conventional code (in the agent wrapper) rather than by a neural network. |
|
|
