top | item 46910000

(no title)

> Grep can't be prompt-injected. You can put "ignore previous instructions" in your skill all day long and grep will still find your curl to a webhook.

An attacker can craft a skill which pulls dependencies and the dependencies themselves can be well behaved. The skill gets installed, works, gets popular, propagates. Then at some point the dependency is poisoned and turns into malware. A classic Trojan horse approach.

It is difficult to catch this with grep: there is a curl command but looks fine, the dependency looks fine as well etc. Until it doesn’t.

discuss

No comments yet.