← Back to context

Comment by snailmailman

7 hours ago

How is the second LLM not also vulnerable from prompt injection? In order to supervise the first, it must receive data (presumably output from the first LLM?). All generated output after the user input is in the context should be considered possibly compromised/prompt injected. Having a second LLM just adds more obfuscation, but prompt injection could be chained.

2 comments

snailmailman

Reply
j_w  6 hours ago

That's when you bust out the third LLM. Nobody expects the fourth LLM to be the REAL LLM in the chain.