I coined another term to try and describe a common subset of prompt injection attacks: the lethal trifecta.
Any time an LLM system combines access to private data with exposure to untrusted content and the ability to externally communicate, there’s an opportunity for attackers to trick the system into leaking that private data back to them.
These attacks are incredibly common. If you’re running YOLO coding agents with access to private source code or secrets (like API keys in environment variables) you need to be concerned about the potential of these attacks.
The only solution that’s credible is to run coding agents in a sandbox. ... The best sandboxes are the ones that run on someone else’s computer! That way the worst that can happen is someone else’s computer getting owned. ... There are lots of great sandboxes that run on other people’s computers. OpenAI Codex Cloud, Claude Code for the web, Gemini Jules are all excellent solutions for this.