| ▲ | bilekas 5 hours ago | |
> Note: Cortex does not support ‘workspace trust’, a security convention first seen in code editors, since adopted by most agentic CLIs. Am I crazy or does this mean it didn't really escape, it wasn't given any scope restrictions in the first place ? | ||
| ▲ | dd82 5 hours ago | parent | next [-] | |
not quite, from the article >Cortex, by default, can set a flag to trigger unsandboxed command execution. The prompt injection manipulates the model to set the flag, allowing the malicious command to execute unsandboxed. >This flag is intended to allow users to manually approve legitimate commands that require network access or access to files outside the sandbox. >With the human-in-the-loop bypass from step 4, when the agent sets the flag to request execution outside the sandbox, the command immediately runs outside the sandbox, and the user is never prompted for consent. scope restrictions are in place but are trivial to bypass | ||
| ▲ | hrmtst93837 4 hours ago | parent | prev [-] | |
[dead] | ||