[forty]

How do you prevent someone random from asking your bot to archive all your emails (for example) with a specifically crafted email ?

[splitbrain]

Yeah, and if this can also automatically send mails, we not only have prompt injection but also data exfiltration.

[dbish]

2 things right now, 1) it can only draft emails, requires human in the loop to send still. 2) every email you can think of as resetting the context so at most you can only prompt inject your email and get it classified differently or have the agent try to use one of the available tools just for that email, it won’t impact other emails.