The question that always needs to be asked (and ideally should have a section in the readme): What are the limits to what prompt injection can do with this?
- Does the app support embedded LLM-generated links/images (either through HTML or Markdown)?
- Is there any long-term reading history being stored (even locally) that the LLM has access to and that could be included in an exfiltration attack?
- Are there plans to offer external hosting with user accounts, and if so, see above question about image/link support again.
With any LLM tool like this, the answer to "is it vulnerable to prompt injection" is "yes", so the actual question is "how much is the app doing, how bad would prompt injection be?"
In this case, from what I can tell, it's just a self-hosted summary tool, so prompt injection would be limited to a website getting the LLM to generate inaccurate summaries. It doesn't look like the LLM has the ability to insert links/images, but I haven't tested in more detail to make sure. So threat seems minimal?
But I really encourage projects like this to add sections to their README files spelling that out more explicitly. We need to get better as a community at making sure that people understand that prompt injection is a factor that needs to be considered for every single LLM-based project.
I think its actually pretty cool but I would also see it in reverse, to have highlighted passages while reading the log form - click to view a relevant summary of why that passage is important point in the longer doc
I feel this is adding an extra layer on top of summarization where you will now also need to trust where the partial summary leads to in addition to trusting the summary didn’t miss main points
If you promote things like this as research tools, ways to extract technical information quickly from complex documents, hey cool. Trying to frame your product as an alternative to "traditional reading" makes me want to barf.
Yet, consuming books and websites will fundamentally change in the next few years. There is little reason to have nausea over alternate forms of content consumption.
Consuming always changes. The process for internalizing knowledge stays the same. It will always be in-depth deliberate practice, spaced repetition or repeated use, and time.
When you rely on something else to chunk the knowledge for you, you aren't doing the work.
These tools will be great when they don't miss the details relevant to you, but how are you getting the signal when they do miss details for you?
Same thing with Plato and writing. Writing did not limit memory for those that treated writing as a tool. Writing enabled the throughput of putting stuff into long term memory for many scholars. It also encouraged new ways of work. But a reference or summary could never replace what you put in your head.
In a few years knowledge work will not be the domain of humans, the same way transporting heavy building supplies is no longer the domain of oxen and donkeys.
We may still ingest knowledge for our own amusement but it won't serve any practical purpose.
Skimming has been a valid alternative to traditional reading under certain circumstances since the dawn of the written word; I don't see why this is any more offensive.
- Does the app support embedded LLM-generated links/images (either through HTML or Markdown)?
- Is there any long-term reading history being stored (even locally) that the LLM has access to and that could be included in an exfiltration attack?
- Are there plans to offer external hosting with user accounts, and if so, see above question about image/link support again.
With any LLM tool like this, the answer to "is it vulnerable to prompt injection" is "yes", so the actual question is "how much is the app doing, how bad would prompt injection be?"
In this case, from what I can tell, it's just a self-hosted summary tool, so prompt injection would be limited to a website getting the LLM to generate inaccurate summaries. It doesn't look like the LLM has the ability to insert links/images, but I haven't tested in more detail to make sure. So threat seems minimal?
But I really encourage projects like this to add sections to their README files spelling that out more explicitly. We need to get better as a community at making sure that people understand that prompt injection is a factor that needs to be considered for every single LLM-based project.