[habinero]

Yeah, that's incredibly unsafe. You made a footgun machine and you're firing it with no shoes on. Don't run that on any machine with credentials you care about.

At the very least, run it in Docker. It's not a security tool, but it's at least some kind of guardrail against data loss and exfiltration.

[iLemming]

> Yeah, that's incredibly unsafe.

Having a browser on your machines is unsafe. The browser is a massively more dangerous attack surface than an Emacs-based LLM tool. What I have is a curated set of Lisp functions exposed to an LLM through a protocol I control, running in a single-user process, on my machine, behind my firewall. The attack surface is comically small by comparison.

[i_think_so]

Any browser that I trust to not instantly[1] eat my face has sandboxing features to at least pretend it wants to be secure. I'm not aware of any text editor that has built in anything of the sort.

It's a nice habit to get into if you can bring yourself to firejail your editor to $HOME/jail and keep all your r/w files in $HOME/jail/Documents and such. But only the most socially unacceptable of paranoid sysadmins do that. Ahem.

[1] FF/Chrome/javascriptless ones. The others are put in prison with no chance of parole and strict visitation policies.

[iLemming]

A browser's sandbox exists because it routinely executes arbitrary code from untrusted remote origins. Emacs (or any other editor) with an LLM integration does not fetch and auto-execute code from random origins. Your firejail point proves too much, even though the idea sure is riveting. By that logic, my shell is also catastrophically insecure - it can rm -rf /, read my ssh keys, send some files anywhere. Yet nobody seriously argues shells need browser-style sandboxing. The implicit trust model is different: these are tools where you control what runs.

Yes, there are prompt injection risks, they are legit but that's the property of the LLM, not Emacs. A browser sandbox protects you from code you never chose to run. An editor integration runs code you asked for. These are different problems requiring different mitigations.

You guys keep patronizing me on this, you think I'm some truck driver/florist/butcher by day, and I put on my amateur coder suit at night? Just so you know, I spent years working on security.cisco.com team and went through SANS training and certification. Ever occurred to you that just maybe, perhaps, potentially, theoretically, hypothetically - I'm not completely, utterly ignorant about all this shit?

[i_think_so]

<insert: Friendly reminder to replace Docker with Podman>

> It's not a security tool,

Amen to that, brother.

I'm sure somebody can google up a better example page than this. https://web.archive.org/web/20260322141827/https://www.simpl...