[zahlman]

> Doesn't the agent already have bash though?

You don't have to give it bash, depending on your tools at least.

> So it can blow itself up and... I think that's about it?

And exfiltrate data via the Internet, fill up disk space...

[andai]

It can already exfiltrate stuff in a VM though right? Like people will run this thing in a sandboxed environment in docker in a VM but then hook it up to GMail and also feed it random web content (web search tool, Twitter integration etc.).

I saw at least some interest in a better security model where for example instead of giving it the API keys, there's a broker that rewrites the curl requests and injects keys so the agent doesn't see them.

I'm not sure what that looks like for your emails or web content though, since using placeholders there would defeat the purpose.

[zahlman]

> a broker that rewrites the curl requests and injects keys so the agent doesn't see them.

This seems like the right way to do it, but you still have to worry about what information the agent wants to send out. Especially if it could get prompt-injected. Email sounds to me like a complete no-go.