You shouldn’t give LLM any powers you wouldn’t give straight to user. LLM should be able to only perform actions on behalf of the user.
Not act as a gatekeeper with admin rights. It limits the usefulness of chatbots, but it feels futile to try to keep current LLMs from being social engineered.
I think we are in agreement - my point was that using an LLM as a front-end app for authenticated users (with the same rights as the front end GUI) can work OK. (with the possible risk of misunderstanding of natural language causing deletion of files)
But here we're talking about using LLMs as "customer service rep" replacements. Those chatbots would need some capabilities (escalate request, resend product, etc.)
My point is the only options are : de-power the bot (so the customer gets a worse experience). Or get hacked/jailbroken within minutes.
