| ▲ | DaiPlusPlus 3 hours ago | |
> Seems like an agent given 20-30 tool calls like "read_sms" "matter_command", and "send_email" would be able to work out what to do for things like "set the house to 72° and text Laura that I did it." Incidentally, a major headline in the news this past week was about a coding-agent that wiped its company's entire system, including backups; which the company's staffers were confident was utterly impossible (as it didn't have any access to that system), and yet somehow, it did[1] (the TL;DR is the agent randomly came across an unprotected God-tier admin API-key/token saved to a personal text-file in a filesystem it had read-access to). If an agent can do that with only read-only access to a company's routine/everyday storage area then there's no way I'm giving it the ability to deactivate my house's fire-alarms and security-cameras via Google Home/Matter/Thread/HomeKit/X10/OhFfsNotAnotherCloudBasedAutomationScheme. [1] https://www.theregister.com/2026/04/27/cursoropus_agent_snuf... | ||
| ▲ | 8note 41 minutes ago | parent [-] | |
If you are really worried about that, the agent already has that access since itll go find that key anyways. the HN thread about that case was much more of a "why are you putting your prod keys in random text files" and "the sota in prompt engineering is that putting DONT FUCKING DO THE BAD THING" makes the agent more desperate to get stuff done putting limits at the harness level would do just fine. one LLM call, one tool call per voice message. you dont have to give it a ton of turns | ||