"lightweight sandboxing" isn't far enough for agents, you really need _full sandboxing_.
For example, can you instruct it to open file:// from the local os, or download some colossal 100TB file?
prompt injection isn't going away anytime soon, so we have to treat the agent like arbitrary code. Wrapping in something like Firecracker, and giving the agent extremely scoped access is crucial.
One achillies heel of browser use agents is that you often can't filter permissions like you can with API keys, which is shown in this demo by having the agent make an api key.
Agreed on the sandboxing. I think it is a nut that the LLM providers are going to need to crack in order to allow companies to operate AI safely without keeping users in the loop. Otherwise automated workflow are going to need to be orchestrated elsewhere (and be more limited in what steps they lean on LLMs to solve) in order treat the LLM output as just data.
Where I landed was a bit of a Jupyter notebook concept for a conversation where a user/API can request that certain prompts (cells) be trusted (elevated permissions for tools and file system access) while you do the bulk of the analysis work in the untrusted prompts.
I hope that we get more solutions in this direction! I want to use ai browser agents and other things that involve connecting ai up to my accounts, but I've avoided so far and will continue to avoid until I'm confident on the security.
"lightweight sandboxing" isn't far enough for agents, you really need _full sandboxing_.
For example, can you instruct it to open file:// from the local os, or download some colossal 100TB file?
prompt injection isn't going away anytime soon, so we have to treat the agent like arbitrary code. Wrapping in something like Firecracker, and giving the agent extremely scoped access is crucial.
One achillies heel of browser use agents is that you often can't filter permissions like you can with API keys, which is shown in this demo by having the agent make an api key.
Agreed on the sandboxing. I think it is a nut that the LLM providers are going to need to crack in order to allow companies to operate AI safely without keeping users in the loop. Otherwise automated workflow are going to need to be orchestrated elsewhere (and be more limited in what steps they lean on LLMs to solve) in order treat the LLM output as just data.
Where I landed was a bit of a Jupyter notebook concept for a conversation where a user/API can request that certain prompts (cells) be trusted (elevated permissions for tools and file system access) while you do the bulk of the analysis work in the untrusted prompts.
(if anyone is interested in the germ of the idea: https://zero2data.substack.com/p/trusted-prompts)
I hope that we get more solutions in this direction! I want to use ai browser agents and other things that involve connecting ai up to my accounts, but I've avoided so far and will continue to avoid until I'm confident on the security.
How about we disable all browser AI features? That's what I do with Brave: I go to brave://flags and disable everything that mentions "AI" or "Leo".
I don't want a trojan horse in my own browser.
Just curious, but I'm curious what these platforms are chasing? I assume a quick acquisition by an org like Salesforce building huge agentic tooling?
Surely this time it will work