greshake
commented
1 year ago Yea we'll look at how to best include this example. It certainly fits, but I would consider it to be part of a category of prompt injections that don't target the LLM itself (or running "on" it). By the way, this paper: https://arxiv.org/abs/2211.15363 could also be interesting to you. We'll include it in the next updated draft, and they looked at this type of vulnerability a few months ago (text-to-sql in that case).
A scenario which models the situation described here
Might be a good addition?