In my opinion, the trifecta can be reduced further to a simple statement: an attacker who can input into your LLM can control all its resources.
In my opinion, the trifecta can be reduced further to a simple statement: an attacker who can input into your LLM can control all its resources.
It can, but it doesn't really help someone spot the danger.
That isn't a helpful statement, and it also isn't correct.
“An LLM with a tool that READS untrusted content, is inherently also WRITING it into the context window.”
Is a slightly more useful flattening/reduction of the problem that I’m still wordsmithing and evangelizing.