Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tools filtering/sandboxing #864

Open
jhrozek opened this issue Jan 31, 2025 · 2 comments
Open

Tools filtering/sandboxing #864

jhrozek opened this issue Jan 31, 2025 · 2 comments
Labels
needs-triage

Comments

@jhrozek
Copy link
Contributor

jhrozek commented Jan 31, 2025

This is just an idea, feel free to close if it's too out there.

A lot of the agentic assistants use tools. These are passed in the user message, following is an example from anthropic:

 "tools": [
    {
      "name": "builtin_read_file",
      "description": "Use this tool whenever you need to view the contents of a file.",
      "input_schema": {
        "type": "object",
        "required": [
          "filepath"
        ],
        "properties": {
          "filepath": {
            "type": "string",
            "description": "The path of the file to read, relative to the root of the workspace."
          }
        }
      }
    },
    {
      "name": "builtin_create_new_file",
      "description": "Create a new file",
      "input_schema": {
        "type": "object",
        "required": [
          "filepath",
          "contents"
        ],
        "properties": {
          "filepath": {
            "type": "string",
            "description": "The path where the new file should be created"
          },
          "contents": {
            "type": "string",
            "description": "The contents to write to the new file"
          }
        }
      }
    },
    {
      "name": "builtin_run_terminal_command",
      "description": "Run a terminal command in the current directory. The shell is not stateful and will not remember any previous commands.",
      "input_schema": {
        "type": "object",
        "required": [

It would be nice to be able to define a policy or sandbox the tools with codegate. Some examples might include:

  • I don't want to allow any tools that read files to read files under db/schema
  • I never want to allow any tools that communicate over the network

Because the tools are generic JSON schema I think we have two options:

  • either have allow list/deny list of tools or their arguments. We would have to tailor this to the tols and constantly update. Ugh.
  • (inspired by Luke's work on the PII protections) use something like Spacy to classify the tools into categories and then have the policy more dynamic. We could classify the tools based on what they can do (read,write,execute,network, ...) and with what (file, directory, repo, system, ...). Then have a policy that says "I don't want tools to ever touch network".

There might be overlap with MCP
@jhrozek
Copy link
Contributor Author

jhrozek commented Jan 31, 2025

@lukehinds @yrobla @ptelang WDYT? As I said above this was just and idea that came during code review, feel free to critique/close.

@yrobla
Copy link
Contributor

yrobla commented Jan 31, 2025

I really think it's a good feature. With openinterpreter, i see it can lists contents inside your directory, open files, no matter what, and they are sent to the LLM. Is true that you need to authorize every action but will be good to have policies to prevent users from leaking certain contents or performing different types of actions:

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhrozek @yrobla