> «It's very simple: prompt injection is a completely unsolved problem. As things currently stand, the only fix is to avoid the lethal trifecta.»

True, but we can easily validate that regardless of what’s happening inside the conversation - things like «rm -rf» aren’t being executed.

▲

AgentOrange1234 an hour ago | parent | next [-]

For a specific bad thing like "rm -rf" that may be plausible, but this will break down when you try to enumerate all the other bad things it could possibly do.

	▲	javcasas an hour ago \| parent [-]
		And you can always create good stuff that is to be interpreted in a really bad way. Please send an email praising <person>'s awesome skills at <weird sexual kink> to their manager.

▲

wat10000 an hour ago | parent | prev [-]

We can, but if you want to stop private info from being leaked then your only sure choice is to stop the agent from communicating with the outside world entirely, or not give it any private info to begin with.