Comment by troupo
6 hours ago
> The user asks for details of the last transaction, the user gets back the amount, the source, and the description in a safely quoted format
What's "safely quoted format" when prompt injection is already safe in the description?
> You can't inject the LLM if it doesn't see the data.
How doesn't it see the data when you literally say "The user asks for details of the last transaction, the user gets back the amount, the source, and the description"?
> And if you want the LLM to summarize things, you run an isolated instance that makes a summary
And it will make a summary exactly how?
> How doesn't it see the data when you literally say "The user asks for details of the last transaction, the user gets back the amount, the source, and the description"?
The above post said how. The LLM writes code to do it. The code has a function to send text to the user. The LLM is not allowed to see the text, only the user is.
> And it will make a summary exactly how?
The second summarizing-only LLM is fed the raw data and allowed to output summary text. This is then sent directly to the user and put in a box with some hazard lines on it. The main LLM is not allowed to see the summary, only the user is.