I'm pretty comfortable with the agent scaffolding just restricting directory access but I can see places it might not be enough...
If you were being really paranoid then I guess they could write a script in the local directory that then runs and accesses other parts of the filesystem.
I've not seen any evidence an agent would just do that randomly (though I suppose they are nondeterministic). In principle maybe a malicious or unlucky prompt found somewhere in the permitted directory could trigger it?
If you were being really paranoid then I guess they could write a script in the local directory that then runs and accesses other parts of the filesystem.
I've not seen any evidence an agent would just do that randomly (though I suppose they are nondeterministic). In principle maybe a malicious or unlucky prompt found somewhere in the permitted directory could trigger it?