(sketch.dev)

435 points crawshaw | 1 comments | 15 May 25 19:33 UTC | HN request time: 0.212s | source

Show context

kuahyeow ◴[15 May 25 22:28 UTC] No.44000013[source]▶

What protection do people use when enabling an LLM to run `bash` on your machine ? Do you run it in a Docker container / LXC boundary ? `chroot` ?

replies(2): >>44000369 #>>44002663 #

CGamesPlay ◴[15 May 25 23:26 UTC] No.44000369[source]▶

>>44000013 #

The blog post in question is on the site for Sketch, which appears to use Docker containers. That said, I use Claude Code, which just uses unsandboxed commands with manual approval.

What's your concern? An accident or an attacker? For accidents, I use git and backups and develop in a devcontainer. For an attacker, bash just seems like an ineffective attack vector; I would be more worried about instructing the agent to write a reverse shell directly into the code.

replies(2): >>44001584 #>>44002882 #

zahlman ◴[16 May 25 03:30 UTC] No.44001584[source]▶

>>44000369 #

> For an attacker, bash just seems like an ineffective attack vector

All it needs to do is curl and run the actual payload.

replies(2): >>44001663 #>>44002359 #

Wilder7977 ◴[16 May 25 06:29 UTC] No.44002359[source]▶

>>44001584 #

Or even the standard "echo xxx | base64 -d" or a million other ways. How can someone say that bash is not interesting to an attacker is beyond me.

replies(1): >>44017845 #

1. CGamesPlay ◴[17 May 25 23:45 UTC] No.44017845[source]▶

>>44002359 #

But bash isn't a key ingredient in any of these. The exact same payload could easily be insert in the project's source code, and has the benefit of being persistent. Using a bash shell to do it might be the most obvious way, sure, but shutting down bash access is such a poor defense that it isn't worth doing.

↑

The unreasonable effectiveness of an LLM agent loop with tool use