Comment by megous
7 hours ago
The problem is not that you can make LLM perform whatever tool calls you want.
The problem is that those tool calls are not scoped to what you can access. Eg. tool call should not allow the LLM to access anything that you should not be able to access if you had access to the tool calls directly.
So in a sense the problem is not string interpretation confusion (like with SQL injection), but data access controls.
No comments yet
Contribute on Hacker News ↗