zlacker

So the question is can you do anything useful with the agent risk free.

For example I would love for an agent to do my grocery shopping for me, but then I have to give it access to my credit card.

It is the same issue with travel.

What other useful tasks can one offload to the agents without risk?

>>uxhack+(OP)
With the right approval chain it could be useful.

>>sebmel+Q
The agent is tricked into writing a script that bypasses whatever vibe coded approval sandbox is implemented.

>>jondwi+Ml
Picturing the agent calling your own bank to reset your password so it can login and get RW access to your bank account, and talking (with your voice) to a fellow AI customer service clanker

>>uxhack+(OP)
Imagine how specific you'd have to be to ensure you got the actual items on your list?

>>uxhack+(OP)
The solution is proxy everything. The agent doesn't have an api key, or yoyr actual credit card. It has proxies of everything but the actual agent lives in a locked box.

Control all input out of it with proper security controls on it.

While not perfect it aleast gives you a fighting chance when your AI decides to send a random your SSN and a credit card to block it.

>>johnsm+9E
Unfortunately I don't think this works either, or at least isn't so straightforward.

Claude code asks me over and over "can I run this shell command?" and like everyone else, after the 5th time I tell it to run everything and stop asking.

Maybe using a credit card can be gated since you probably don't make frequent purchases, but frequently-used API keys are a lost cause. Humans are lazy.

>>johnsm+9E
> The solution is proxy everything.

Who knew it'd be so simple.

>>xXSLAY+kC
You won’t get them anyway because the acceptable substitutions list is crammed with anything they think they can get away with and the human fulfilling the order doesn’t want to walk to that part of the store. So you might as well just let the agent have a crack at it.

>>uxhack+(OP)
The solution exists in the financial controls world. Agent = drafter, human = approver. The challenge is very few applications are designed to allow this, Amazon's 1-click checkout is the exact opposite. Writing a proxy for each individual app you give it access to and shimming in your own line of what the agent can do and what it needs approval is a complex and brittle solution.

>>johnsm+9E
> with proper security controls on it

That's the hard part: how?

With the right prompt, the confined AI can behave as maliciously (and cleverly) as a human adversary--obfuscating/concealing sensitive data it manipulates and so on--so how would you implement security controls there?

It's definitely possible, but it's also definitely not trivial. "I want to de-risk traffic to/from a system that is potentially an adversary" is ... most of infosec--the entire field--I think. In other words, it's a huge problem whose solutions require lots of judgement calls, expertise, and layered solutions, not something simple like "just slap a firewall on it and look for regex strings matching credit card numbers and you're all set".

>>zbentl+h02
Yeah i'm deffinetly not suggesting it's easy.

The problem simply put is as difficult as:

Given a human running your system how do you prevent them damaging it. AI is effectively thr same problem.

Outsourcing has a lot of interesting solutions around this. They already focus heavily on "not entirely trusted agent" with secure systems. They aren't perfect but it's a good place to learn.

>>stickf+Re1
Per task granular level control.

You trust the configuration level not the execution level.

API keys are honestly an easy fix. Claude code already has build in proxy ability. I run containers where claude code has a dummy key and all requestes are proxied out and swapped off system for them.