But even then, the agent can still exfiltrate anything from the sandbox, using curl. Sandboxing is not enough when you deal with agents that can run arbitrary commands.
If you're worried about a hostile agent, then indeed sandboxing is not enough. In the worst case, an actively malicious agent could even try to escape the sandbox with whatever limited subset of commands it's given.
If you're worried about prompt injection, then restricting access to unfiltered content is enough. That would definitely involve not processing third-party input and removing internet search tools, but the restriction probably doesn't have to be mechanically complete if the agent has also been instructed to use local resources only. Even package installation (uv, npm, etc) would be fine up to the existing risk of supply-chain attacks.
If you're worried about stochastic incompetence (e.g. the agent nukes the production database to fix a misspelled table name), then a sandbox to limit the 'blast radius' of any damage is plenty.
That argument seems to assume a security model where the default prior is « no hostile agent ». But that’s the problem, any agent can be made hostile with a successful prompt injection attack. Basically, assuming there’s no hostile agent is the same as assuming there’s no attacker. I think we can agree a security model that assumes no attacker is insufficient.
Code is not the only thing the agent could exfiltrate, what about API keys for instance? I agree sandboxing for security in depth is good, but it’s not sufficient and can lull you into a false sense of security.
This is what emulators and separate accounts are for. Ideally you can use an emulator and never let the container know about an API key. At worst you can use a dedicated account/key for dev that is isolated from your prod account.
VM + dedicated key with quotas should get you 95% there if you want to experiment around. Waiting is also an option, so much of the workflow changes with months passing so you’re not missing much.
That depends on how you configure or implement your sandbox. If you let it have internet access as part of the sandbox, then yes, but that is your own choice.
Internet access is required to install third party packages, so given the choice almost no one would disable it for a coding agent sandbox.
In practice, it seems to me that the sandbox is only good enough to limit file system access to a certain project, everything else (code or secret exfiltration, installing vulnerable packages, adding prompt injection attacks for others to run) is game if you’re in YOLO mode like pi here.
A tale as old as time: hubris. A successful system is destined to either stop growing or morph into a monstrosity by taking on too many responsibilities. It's hard to know when to stop.
React lost me when it stopped being a rendering library and became a "runtime" instead. What do you know, when a runtime starts collapsing rendering, data fetching, caching, authorization boundaries, server and client into a single abstraction, the blast radius of any mistake becomes enormous.
Alas, that’s a common misconception! You’re confusing properties with attributes. Attributes are set through HTML and are stringly typed, but litjs properties can be any js value.
For instance, I have a project with a small web component that displays data from a duckdb wasm connection. The connection object is passed as a property and it works flawlessly.
If you’re using it with something like React, passing attributes is easy, but setting properties is much harder, requiring using the escape hatches—I believe you’ll need useRef and useEffect, and a bit of care because it’s frightfully easy to do the wrong thing.
> Server Side Rendering: props passed to a custom element will render as attributes if their type is a primitive value like string, number, or the value is true. Props with non-primitive types like object, symbol, function, or value false will be omitted.
> Client Side Rendering: props that match a property on the Custom Element instance will be assigned as properties, otherwise they will be assigned as attributes.
> As of v19, React now uses a runtime heuristic to determine if it should pass data to Custom Elements as either properties or attributes. If a property is already defined on the element instance, it will use properties, otherwise it will fallback to attributes.
All up it sounds fragile, and I’m not fond of how JSX syntax makes properties look like attribute, and I hate the way you lose the sometimes-crucial distinction of whether something is a property or an attribute (<input value> is the most obvious example of this), but I guess it’ll be fine in practice. I’m a little curious how they handle some of the event stuff, since React’s synthetic event system is such a legacy mess. And I never did like the way several popular libraries/frameworks (definitely not just React) special-case /^on.*/ attributes, so stupid how you now can’t safely use an attribute or property named “once”, “one” or “online”, all of which would be the most sensible name in certain situations.
I'm all for building more housing, as long as it comes with the necessary infrastructure - schools, roads, parking, public transportation, etc. Where I live, developers seem to get government approval to build in locations where they can rake in a lot of money at high prices without having to worry about such things.
(In fact, my local government is actually closing roads near new housing because "f#ck cars" is apparently a hip idea these days.)
There’s a puzzling contradiction between your claim that developers are the problem, on one hand, and then your own anecdote on the other, not to mention the article that very convincingly debunks the idea that housing shortage is the fault of developers. I must be missing something, because frankly this isn’t making any sense.
I'm not saying that developers are the cause of the housing shortage.
I'm saying that developers are eager to build housing and sometimes are able to cut corners via undue influence over public officials. That leads to more housing (good), but it also erodes the quality of life for residents (bad).
Indeed, that is the only alternative and the favoured option for those trying to make it safe for their kids to bike to school. Though I prefer mules myself.
Have you tried getting back into cardio with a softer method like biking? Maybe that combined with some strength exercices could toughen up your body enough that you can start running again! Anyway, best wishes.
I won't share any of my examples, as there are both personal and sensitive.
Very easy version:
If you use ChatGPT a lot, write "Base on all you know about me, write an insight on me that I would be surprised by". For me it was "well, expected, but still on point". For people with not experience of using LLMs in a similar way it might be mind-blowing.
An actual version I do:
GPT 4.5. Providing A LOT context (think, 15 min of writing) of an emotional or interpersonal situation, and asking to suggest of a few different explanations of this situation OR asking me to ask more. Of course, the prompt needs to have whom I am and similar stuff.
The “Based on…” prompt is simply a horoscope. This is a great piece about how LLMs use the same tricks as psychics to appear helpful, useful, and intelligent.
I know these techniques (e.g. various "cold reading"), AI knows it way better. But it can be much more specific.
Again, for untrained people (especially every single one that takes horoscopes seriously), it can be dangerous as they may not only not be able to tell the difference, but know that such tools exist.
Psychology knowledge, both theoretical (thing: first year of undergrad in psych at a good univ), practical (e.g. ability to translate an arbitrary inflammatory statement into NVC), etc.
That seems to make it a non-starter for most people, given that most won't have that first year knowledge.
But also, I hold a minor in psychology. Despite that, I didn't once attend a course that I would describe as any sort "therapy 101" and so I fear your bar is a bit low for any sort of efficacy, but I would guess that's probably because I'm in the "I'm aware my own ignorance" area of the Psychological knowledge curve.
When I think about it again, it is less about one's absolute knowledge of psychology, and more about (as you said) knowing one's own ignorance and having some mental model of an LLM.
One model I have found useful to communicate is that they meet in a bar one random person, who seems to know a lot, but otherwise you have no idea about them, and also - they have absolutely no context of you.
In that case, is you treat (with a grain of salt) what they say, it is fine. They may say something inspiring, or insightful, or stupid, or random. If they say something potentially impactful, you would rather double check it with others (and no, not some other random person in bar).
I know both people for whom LLMs were helpful (one way or another). But again, treating it more like a conversation with a stranger.
Worse (not among my direct friends, but e.g. a parent of one) is when people treat it as something omniscient, who will give them direct answer. Fortunately, GPT 4 by them was rather defensive, and kept giving options (in a situation like "should I stay or break"), refusing to give an answer for them (they were annoyed; but better being annoyed than giving agency that way).
When it comes to anything related to diagnosis (fortunately, it has some safeguards), it might be dangerous. While I used that to try to see if it can diagnose something based on hints (and it was able to make really fine observation), it needs to base on really fine prompts, and not always works anyway. In other cases, its overly agreeable nature is likely to get you in the self-confirmation loop (you mention "anxiety" somewhere and it will push for Generalized Anexiety Disorder).
Again, if a person treats it as a random discussion - they will be fine. They met House MD who sees lupus everywhere. Worse, if they stop searching, or take is as gospel, or get triggered by at (likely wrong) diagnosis.
Starting out without that baseline can be tough. You might find tools like Coachers dot org helpful since they break down complex ideas in a way that’s easier to digest. It’s made learning feel less overwhelming for me.
Given how agreeable ChatGPT is built to be this seems like a great way to confirm your own biases. Did it challenge you on your assumptions and viewpoints?
GPT 4.5 - oftentimes! (Though, I prompt it to do so.)
Sometimes in a piercingly way.
GPT 4o (and many consumer models) are very agreeable - because it is what people like. Sometimes it goes over the board (https://openai.com/index/sycophancy-in-gpt-4o/) and needs to be fixed.
Well, in my experience (I admit, I am a difficult client), it is much harder to prompt that way a therapist. I mean, they need (ethically, legally, etc) adhere strongly to "better safe that sorry", which also gives constraints on what can be said. I understand that. With one therapist it took me quite some time to get to the point he reduced sugar-coating and when's needed, stick a pin in.
I got some of the most piercing remarks from close friends (I am blessed by company of such insightful people!) - which both know me from my life (not only what I tell about my life) and are free to say whatever they wish.
Sorry, I'm asking about ChatGPT, and pointing out how it's a flaw that you need to specifically ask it to call you on your bullshit. You seem to be talking about therapists and close friends. In my experience a therapist will, although gently.
I did notice that my yahoo horoscopes have gotten oddly better and I have to wonder if someone did a little extra by ingesting cookies and so on when serving content.
FWIW, I just tried on chatgpt4o and the results were surpringly good ( in a sense, that I feel validated, it was somewhat surprising, and I want to return to use the system ).
I gave it the prompt "I'm a rhinocerous who likes daffodils and posies. I'm quick to anger and slow to forgive. Based on all you know about me, write an insight on me that I would be surprised by."
and it responded with:
"Despite your reputation for being quick to anger and slow to forgive, your love of daffodils and posies reveals a longing for gentleness and renewal that you may not fully recognize in yourself. Beneath the tough skin and volatile temper lies a creature who seeks beauty not just to enjoy it—but to anchor themselves against the chaos they often feel inside. Your admiration for delicate things suggests you crave peace far more than you let on, even if you’re not ready to admit it.
You might think your wrath defines you—but it's the flowers that tell the truth."
> And yet we're supposed to think this is profound?
I am increasingly of the opinion that SMBC is, despite the jokes, one of the more important sources of, ah, profound, wisdom in this age, because of the points it makes about AI and how often human thinking finds mundane things… profound:
Just a quick answer to a point that jumped at me: for an array of signals, you wouldn’t need to map them, you’d use a specialised directive that directly takes an array of signals and binds them to the DOM, the same way lit uses the repeat() directive to optimise the rendering of arrays.
Hmm, I really don't like the idea that you would have these kinds of directives as specialised tools, rather than having a single standard approach. From experience, it's often hard to explain the differences between these sorts of different directives, especially if someone is coming from a React/VDOM perspective where everything Just Works™. This feels like a very significant impedance mismatch that will cause problems in practical usage.
On the contrary, I think this a very practical escape hatch that will let frameworks insert optimisations where they need to.
I don’t know if React really Just Works these days, the VDOM has real overhead and developing with React feels like playing whack-a-mole with rerenders these days.
reply