| ▲ | hobofan 5 hours ago | |||||||
Prompt injections are a whole class of vulnerabilities, and I would say there is generally a pretty good idea of how to mitigate them to be impactful. However in many cases those mitigations are not implemented (in the strictness that they require), as they are usually either too costly (second LLM as judge) or lead to worse UX (tool call confirmation with appropriate review of all input parameters on every tool call; disconnecting web access). | ||||||||
| ▲ | xienze 4 hours ago | parent [-] | |||||||
> and I would say there is generally a pretty good idea of how to mitigate them to be impactful Yes and no. No in the sense that the space of possible ways to craft a malicious prompt is infinite. Yes in the sense that you can lock down every single possible way the agent can interact with the system. But, will doing so render the agent nearly useless? And, are you absolutely sure you'll never forget to lock each and every thing down, including things you weren't aware of? > second LLM as judge Again, see above. You're perhaps making it harder to craft a prompt injection, but not impossible. This is a false sense of security. | ||||||||
| ||||||||