Skills
Quarantine untrusted content with the dual-LLM / CaMeL pattern so injected text never reaches the tool-calling model
CaMeL operationalizes Simon Willison's dual-LLM idea: a Privileged LLM controls tools and actions while a separate Quarantined LLM processes untrusted content, has no tool access or persistent state, and returns only typed, labeled data over an inspectable channel. A capability-based interpreter then enforces deterministic security policy outside the model. On the AgentDojo benchmark this structural separation mitigated 67% of prompt-injection attacks — far better than instruction-based defenses that any clever payload can override.
Source
↳ Follow the thread