←back to thread

LLM that can call multiple tool APIs with one request

(cohere.com)
129 points ericciarla | 3 comments | 17 Jun 24 21:47 UTC | HN request time: 0.617s | source
Show context
madrox ◴[18 Jun 24 00:02 UTC] No.40712650[source]
I have a saying: "any sufficiently advanced agent is indistinguishable from a DSL"

If I'm really leaning into multi-tool use for anything resembling a mutation, then I'd like to see an execution plan first. In my experience, asking an AI to code up a script that calls some functions with the same signature as tools and then executing that script actually ends up being more accurate than asking it to internalize its algorithm. Plus, I can audit it before I run it. This is effectively the same as asking it to "think step by step."

I like the idea of Command R+ but multitool feels like barking up the wrong tree. Maybe my use cases are too myopic.

replies(7): >>40713594 #>>40713743 #>>40713985 #>>40714302 #>>40717871 #>>40718481 #>>40721499 #
TZubiri ◴[18 Jun 24 03:12 UTC] No.40713743[source]
I think you are imagining a scenario where you are using the LLM manually. Tools are designed to serve as a backend for other GPT like products.

You don't have the capacity to "audit" stuff.

Furthermore tool execution occurs not in the LLM but in the code that calls the LLM through API. So whatever code executes the tool, it also orders the calling sequence graph. You don't need to audit it, you are calling it.

replies(1): >>40713878 #
verdverm ◴[18 Jun 24 03:45 UTC] No.40713878[source]
People want to audit the args, mainly because of the potential for destructive operations like DELETE FROM and rm -rf /

How do you know a malicious actor won't try to do these things? How do you protect against it?

replies(2): >>40713887 #>>40713896 #
viraptor ◴[18 Jun 24 03:50 UTC] No.40713896[source]
Whitelisting and permissions. You can't issue a delete if anything not starting with SELECT is rejected. You can't have edge cases that work around that via functions, if the user the agent uses doesn't have permissions other than SELECT.
replies(1): >>40714055 #
verdverm ◴[18 Jun 24 04:23 UTC] No.40714055[source]
"please get all the entries from the table foo and then remove them all"

SELECT * from foo; DELETE FROM foo ...

...because you know people will deploy a general SQL function or agent

replies(3): >>40714088 #>>40714205 #>>40715081 #
1. TZubiri ◴[18 Jun 24 07:39 UTC] No.40715081[source]
btw that's not how tools work at all. Tools are function/API based. (Unless you expose a function run_sql(query), but that's on you.)
replies(1): >>40715543 #
2. verdverm ◴[18 Jun 24 09:09 UTC] No.40715543[source]
I brought it up because popular frameworks are offering this type of agent or function out of the box

There is no "way that tools work"

You pass OpenAPI like schemas along with the prompt and you get back a JSON object. The rest is code and you can do anything you want with. The LLM is merely mapping from unstructured text onto a schema best it can, and we know they are imperfect.

replies(1): >>40723047 #
3. TZubiri ◴[18 Jun 24 23:09 UTC] No.40723047[source]
https://en.wikipedia.org/wiki/Robustness_principle

"be conservative in what you send, be liberal in what you accept"

LLM parses text into a list of parameters. You design your function such that it is safe regardless of what the parameters are.