Comment by Havoc
10 hours ago
That’s a great deal of technical isolation but does little to address the real problem. If the agent has access to both your info (email, files etc) and reads things on say the open internet then it’s vulnerable to prompt injection and Data exfiltration.
And if you remove either access to data or access to internet then you kill a good chunk of usefulness
Also what people forget, even read access alone can be used to communicate with an attacker.
Assume locally i know a read only agent (running on account A) is reading a specific file from user B. Assume it has access to a secret that user B cannot observe. By prompt injection, you can have the read only agent encode the secret as "read" pattern that user B can decode by looking at file access times.
(You can think of fetch requests and the likes for more involved cases)
So read only, while helpful, does not innately prevent communication with an attacker