[greshake]

[...] demonstrate potentially brutal consequences of giving LLMs like ChatGPT interfaces to other applications. We propose newly enabled attack vectors and techniques and provide demonstrations of each in this repository:

- Remote control of chat LLMs

- Leaking/exfiltrating user data

- Persistent compromise across sessions

- Spread injections to other LLMs

- Compromising LLMs with tiny multi-stage payloads

- Automated Social Engineering

- Targeting code completion engines

Based on our findings:

- Prompt injections can be as powerful as arbitrary code execution

- Indirect prompt injections are a new, much more powerful way of delivering injections.