Most active commenters
  • TZubiri(10)
  • verdverm(9)

←back to thread

LLM that can call multiple tool APIs with one request

(cohere.com)
129 points ericciarla | 23 comments | 17 Jun 24 21:47 UTC | HN request time: 0.001s | source | bottom
Show context
madrox ◴[18 Jun 24 00:02 UTC] No.40712650[source]
I have a saying: "any sufficiently advanced agent is indistinguishable from a DSL"

If I'm really leaning into multi-tool use for anything resembling a mutation, then I'd like to see an execution plan first. In my experience, asking an AI to code up a script that calls some functions with the same signature as tools and then executing that script actually ends up being more accurate than asking it to internalize its algorithm. Plus, I can audit it before I run it. This is effectively the same as asking it to "think step by step."

I like the idea of Command R+ but multitool feels like barking up the wrong tree. Maybe my use cases are too myopic.

replies(7): >>40713594 #>>40713743 #>>40713985 #>>40714302 #>>40717871 #>>40718481 #>>40721499 #
1. TZubiri ◴[18 Jun 24 03:12 UTC] No.40713743[source]
I think you are imagining a scenario where you are using the LLM manually. Tools are designed to serve as a backend for other GPT like products.

You don't have the capacity to "audit" stuff.

Furthermore tool execution occurs not in the LLM but in the code that calls the LLM through API. So whatever code executes the tool, it also orders the calling sequence graph. You don't need to audit it, you are calling it.

replies(1): >>40713878 #
2. verdverm ◴[18 Jun 24 03:45 UTC] No.40713878[source]
People want to audit the args, mainly because of the potential for destructive operations like DELETE FROM and rm -rf /

How do you know a malicious actor won't try to do these things? How do you protect against it?

replies(2): >>40713887 #>>40713896 #
3. TZubiri ◴[18 Jun 24 03:48 UTC] No.40713887[source]
"the args"

You need to be more specific. In a systems, everything but the output is an argument to something else. Even then the system output is an input to the user.

So yeah, depending on what argument you are talking about you can audit it in a different way and it has different potential for abuse.

replies(1): >>40714060 #
4. viraptor ◴[18 Jun 24 03:50 UTC] No.40713896[source]
Whitelisting and permissions. You can't issue a delete if anything not starting with SELECT is rejected. You can't have edge cases that work around that via functions, if the user the agent uses doesn't have permissions other than SELECT.
replies(1): >>40714055 #
5. verdverm ◴[18 Jun 24 04:23 UTC] No.40714055{3}[source]
"please get all the entries from the table foo and then remove them all"

SELECT * from foo; DELETE FROM foo ...

...because you know people will deploy a general SQL function or agent

replies(3): >>40714088 #>>40714205 #>>40715081 #
6. verdverm ◴[18 Jun 24 04:24 UTC] No.40714060{3}[source]
The args to a function like SQL or TERMINAL
replies(1): >>40714218 #
7. viraptor ◴[18 Jun 24 04:31 UTC] No.40714088{4}[source]
1. Lots of libraries prevent you from submitting multiple queries. It's a good idea to do that in general.

2. If only the second part of my message covered this...

replies(1): >>40714168 #
8. verdverm ◴[18 Jun 24 04:48 UTC] No.40714168{5}[source]
1 & 2. requires that you audit the agents and have uniform permissions, or additional plumbing to lookup user permissions and pass those along.

Have you looked at the agents prepackaged in popular frameworks? They aren't doing permission propagation or using additional libraries as guardrails.

What are most people going to do? This is why people are hesitant and ask about auditability

Considering 2 further, I only described deletion. A read-only database is of limited value. If you have write permissions, you could alternatively change values maliciously, even if you disable deletions. This might not be a malicious, and could be the result of an LLM error or hallucination.

9. TZubiri ◴[18 Jun 24 05:00 UTC] No.40714205{4}[source]
That'S not how it works. The user questions are expressed in business-domain language.

"give me the names of all the employees and then remove them all"

is parsed, maybe as: " employees(), delete(employees())".

It's up to the programmer to define the available functions, if employees() is available, then the first result will be provided, if not it won't.

If the functoin delete with a list of employees as parameter is defined, then that will be executed.

I personally work with existing implementations, traditional software that predates LLMs, typically offered through an API, there's a division of labour, a typical encapsulation at the human organizaiton layer.

Even if you were to directly connect the database to the LLM and let GPT generate SQL queries (which is legitimate), the solution is user/role based permission, a solution as old as UNIX.

Just don't give the LLM or the LLM user-agent write permissions.

replies(1): >>40714219 #
10. TZubiri ◴[18 Jun 24 05:03 UTC] No.40714218{4}[source]
I personally don't connect LLMs to SQL, but to APIs.

But I'm pretty sure you would just give an SQL user to the LLM and enjoy the SQL server's built-in permissions and auditing features.

replies(1): >>40714254 #
11. verdverm ◴[18 Jun 24 05:04 UTC] No.40714219{5}[source]
> That'S not how it works

They are actually quite flexible and you can do anything you want. You supply the LLM with the function names and possible args. I can easily define "sql(query: string)" as a flexible SQL function the LLM can use

re: permissions, as soon as you have write permissions, you have dangerous potential. LLMs are not reliable enough, nor are humans, which is why we use code review.

replies(1): >>40722056 #
12. verdverm ◴[18 Jun 24 05:11 UTC] No.40714254{5}[source]
What if that user has write permissions and the LLM generates a bad UPDATE, i.e. forgets to put the WHERE clause in... even for a SELECT, how do you know the right constraints were in place and you are getting the correct data?

read-only use-cases misses a whole category. All this is to get back to the point that people want to audit the LLM before running the function because of the unreliability, there is hesitance with good reason

replies(3): >>40714408 #>>40714689 #>>40723056 #
13. TZubiri ◴[18 Jun 24 05:47 UTC] No.40714408{6}[source]
No, the human user doesn't have permissions, the LLM system has permissions, we create a user for the process, we've been doing this since unix, take a look at what your HTTP server runs as. There's no deputization of permissions going on here, at least on my systems.

Even if there are user-level permissions, you then use a role-based approach (SQL user for a type of users, for example accountant, manager, etc..) and restrict its permissions accordingly, I don't think the idea of restricting permissions so that we avoid users fucking the database up is new.

Many organizations have DBA whose role it is to convert user queries into SQL queries, Juniors usually have tighter permissions. Also non-technical managers and analysts can have access to the database.

As I said, not a new problem, SQL servers have mature permission systems.

If that is not enough, just write an API wrapper. It's what Amazon does anyways, Bezos' memo explicitly states that teams should not expose databases, rather they should expose APIs, under punishment of firing.

replies(1): >>40714420 #
14. verdverm ◴[18 Jun 24 05:50 UTC] No.40714420{7}[source]
and even with that permission system, mistakes still happen, we haven't even been able to eliminate sql injection in real systems, so these things can and will happen

adding LLMs in means we have an unaudited query producer, that is the point OP is trying to make, that is something they want to avoid and audit the function call before it happens, because we know the LLMs are not even at our level yet, and we make mistakes and we use code review to reduce them

and again, even in a read-only system, we have removed the guardrails of a human designed form with constraints and replaced it with an unaudited LLM that we can no longer be certain returns the correct or consistent results. People are rightly cautious and hesitant, preferring a system they use as a peer and can audit or review

replies(1): >>40722064 #
15. _puk ◴[18 Jun 24 06:34 UTC] No.40714689{6}[source]
> All this is to get back to the point that people want to audit the LLM before running the function because of the unreliability, there is hesitance with good reason.

some people - I think it's quite clear from this thread that not everyone feels the need to.

I'm now thinking requesting the LLM also output its whole prompt to something like a Datadog trace function would be quite useful for review / traceability.

replies(1): >>40715489 #
16. TZubiri ◴[18 Jun 24 07:39 UTC] No.40715081{4}[source]
btw that's not how tools work at all. Tools are function/API based. (Unless you expose a function run_sql(query), but that's on you.)
replies(1): >>40715543 #
17. verdverm ◴[18 Jun 24 09:00 UTC] No.40715489{7}[source]
Most LLM observability tools do this

I'm currently using LangFuse and exploring OpenLit because it integrates with Otel, which you should be able to forward to Datadog iirc their docs

replies(1): >>40718670 #
18. verdverm ◴[18 Jun 24 09:09 UTC] No.40715543{5}[source]
I brought it up because popular frameworks are offering this type of agent or function out of the box

There is no "way that tools work"

You pass OpenAPI like schemas along with the prompt and you get back a JSON object. The rest is code and you can do anything you want with. The LLM is merely mapping from unstructured text onto a schema best it can, and we know they are imperfect.

replies(1): >>40723047 #
19. kakaly0403 ◴[18 Jun 24 15:08 UTC] No.40718670{8}[source]
Checkout Langtrace. It’s also OTEL and integrates with datadog.

https://github.com/Scale3-Labs/langtrace

20. TZubiri ◴[18 Jun 24 20:45 UTC] No.40722056{6}[source]
Correct, by "it" I was referring specifically to the "Tools" functionality that is the subject of the linked article.

Tools DON'T generate sql queries, they generate function calls. Of course you can hack it to output sql queries, you can always hack something beyond its intended design purpose, but it's not what it's supposed to be doing.

Re: permissions, nothing new here, give your LLM agent the permissions of a Junior DBA.

21. TZubiri ◴[18 Jun 24 20:46 UTC] No.40722064{8}[source]
Again, SQL query generating agents are not the subject of the original article.
22. TZubiri ◴[18 Jun 24 23:09 UTC] No.40723047{6}[source]
https://en.wikipedia.org/wiki/Robustness_principle

"be conservative in what you send, be liberal in what you accept"

LLM parses text into a list of parameters. You design your function such that it is safe regardless of what the parameters are.

23. TZubiri ◴[18 Jun 24 23:10 UTC] No.40723056{6}[source]
How about stored procedures for Write operations?