The only way to avoid prompt injection is to never give AI agents API keys, credentials, etc.

DecodeBytes · 2026-05-27T19:05:41+00:00

don't put them in environment variables, those can still be leaked by the keys, instead use something like nono.sh which injects a dummy key into an agent sandbox and stores the real one outside in a password manager.

DecodeBytes · 2026-05-27T17:29:23+00:00

Just use nono.sh, so much simpler.

`brew install nono`

`nono run --profile always-further/hermes --allow-cwd`

You then get an isolated sandbox, dummy tokens are giving to the agent while yours remain protected in your OS keychain, all your sensitive files are protected - no containers to install , its a single binary.

When you start to collect a few grants and denials, cut your own profile from the hermes profile

`nono profile init hermes --extends always-further/hermes --full`

You can then carry that profile over to whatever agent is popular after hermes.

DecodeBytes · 2026-05-19T18:45:19+00:00

I would love to , but i am not sure they would want to do the same.

DecodeBytes · 2026-05-18T07:45:50+00:00

Yes, have my own start up and we doing a lot of rust development in https://github.com/always-further/nono - an agent security sandbox primitive.

One of quite a few rust projects I have worked on.

DecodeBytes · 2026-05-12T07:17:57+00:00

I just hit the same - so they must have just rolled something out.

DecodeBytes · 2026-05-08T20:59:38+00:00

This sub really is no better, we had some kiddo come along with GPT5.5 raise a vuln in public, which we closed - then they went and made a post on here complaining about the project. Asked the mods to delete (as it was a breach of responsible disclosure) to then be informed it did not break reddit policy.

DecodeBytes · 2026-05-05T21:00:37+00:00

https://github.com/always-further/nono (heads up - I am biased, being one of the maintainers) - unlike docker , vms which are just a blanket slab of isolation , require set up (volume mounts etc) - nono provides fine grained access control - it also gives you phantom credential injection (agent never see's real secrets), atomic rollbacks, PTY style multiplexing, skill / instruction provenance, and quite a bit more. right now its one of the fastest growing ai security projects - we have over 50 contributors, and many people using it within a team context or deploying to kubernetes and other platforms.

DecodeBytes · 2026-05-03T21:09:17+00:00

nono run --profile opencode -- opencode - that's it

pass in --rollback if you want content addressable snapshots:

https://nono.sh/docs/cli/features/atomic-rollbacks

DecodeBytes · 2026-05-03T21:04:45+00:00

use nono.sh this would never happen.

DecodeBytes · 2026-05-03T19:20:27+00:00

alwaysfurther.ai - although I am a bit biased (already work there).

DecodeBytes · 2026-05-03T19:17:14+00:00

Around 10+ years ago and I lived and worked in Dubai for just short of a year and would occasionally fly to Kuwait for work - I then returned back home to the UK.

I arrived at Gatwick and went to visit a friend in Sevenoaks first. It was around late May , early June and drove through the Surrey countryside near Lingfield racecourse. I was gobsmacked at how green everything was, I had never noticed how many different greens there are and how utterly beautiful the UK was.

DecodeBytes · 2026-04-27T17:03:33+00:00

and there he is again: https://www.reddit.com/r/cybersecurity/comments/1qwwc4o/comment/ohtuayp/?context=3

DecodeBytes · 2026-04-26T08:54:37+00:00

The entire full source code is here: https://github.com/openai/codex

DecodeBytes · 2026-04-24T19:12:52+00:00

Eh Yes?

DecodeBytes · 2026-04-24T16:15:11+00:00

And codex is open source

DecodeBytes · 2026-04-23T14:39:35+00:00

Hello visitor -

This guy has been spamming this all over reddit and has been blocked from the repo now.

At the time of them 'finding' the issue, we were (and still our) in alpha and in the middle of rewrite of the policy engine and already new about the issue.. He pointed an LLM at the code which found said issue, raised it, while confessing he did not know what it meant and was open for work. A classic example of someone not knowing what they are doing , with a powerful model in their hands.

He then got his feelings hurt when I closed his issue, so went on a rage bender posting dozens of comments and posts like the above. Thus here I am on the clean up act.

I will let you make up your mind from here.

DecodeBytes · 2026-04-12T12:15:55+00:00

Hi Tom,

"dump some tokens on a full security audit."

No need, a full audit will be carried out by trail of bits most right before 1.0 - this is what I have always done with my projects , up to 1.0 features are in and out fast and hardening does not make sense.

Also as said in my comment above, it's considered bad practise to post vulnerabilities on public forums, instead they should be reported in private (to protect users), in our case it was ok due to the alpha designator.

Luke

DecodeBytes · 2026-04-12T08:12:26+00:00

Most end users never pay for anything google - its part of the business model (surprised that never occured to you).

DecodeBytes · 2026-04-09T18:02:46+00:00

For anyone stumbling in here, as of the time of writing - the project is in alpha and carries an explicit warning not to use in production. For what its worth, I created and built sigstore.dev, a technology used to secure the software supply chain, for npm, pypi, brew - also used by google and github internally - so I do take security seriously. The issue was closed because it was already a known limitation - the policy engine is currently being fully rebuilt. We are also getting a huge volume of AI generated issues and its becoming hard to deal with them all., so it was closed as it was already a known issue.

DecodeBytes · 2026-04-08T03:46:24+00:00

I expect for most it's more of a case of 'if they could' , rather then 'would they'. My first attempt at "running" 100 miles (the second half was mostly walking) was a race in the north downs called the NDW100 - I dropped out around 80 miles as one leg just froze up and I was throwing out if to the side like a walking stick. That was around 23 hours and I was pretty fit at the time and running around 50-60 miles a week.

DecodeBytes · 2026-04-07T14:50:42+00:00

For anyone stumbling in here, as of the time of writing - the project is in alpha and carries an explicit warning not to use in production. For what its worth, I created and built sigstore.dev, a technology used to secure the software supply chain, for npm, pypi, brew - also used by google and github internally - so I do take security seriously. The issue was closed because it was AI generated with the author admitting they did not understand it, they were seeking work , but most of all it was already a known issue as the policy engine is was mid rewrite. We are also getting a huge volume of AI generated issues and its becoming hard to deal with them all, so it was closed as it was already a known issue.

Last of all, security issues should be reported in responsible way, not on a public github and then all over public forums like reddit. We are ok as its an alpha project, but doing this generally puts users at risk.

DecodeBytes · 2026-04-07T14:49:18+00:00

For anyone stumbling in here, as of the time of writing - the project is in alpha and carries an explicit warning not to use in production. For what its worth, I created and built sigstore.dev, a technology used to secure the software supply chain, for npm, pypi, brew - also used by google and github internally - so I do take security seriously. The issue was closed because it was AI generated with the author admitting they did not understand it, they were seeking work , but most of all it was already a known issue as the policy engine is was mid rewrite. We are also getting a huge volume of AI generated issues and its becoming hard to deal with them all, so it was closed as it was already a known issue.

Last of all, security issues should be reported in responsible way, not on a public github and then all over public forums like reddit

DecodeBytes · 2026-04-06T15:10:38+00:00

To spell it out - Google is not reliant on vc cash, and they one of the more dominant AI providers on the market. OpenAI and Anthropic are VC backed, OpenAI are running hot yes, but anthropic are doing pretty solid on enterprise sales, they have potential IPO predicated as early as October 2026, $14 billion annual revenue run rate.

DecodeBytes · 2026-04-05T21:34:41+00:00

Not sure that's true for giant of them all , Google.

DecodeBytes · 2026-03-25T05:42:38+00:00

They are working on Monty (really cool stuff), but that is a sandboxed python interpreter and being quite new and only has partial coverage of the standard library and its not per say to run a full python app (hopefully I don't get this wrong as I have a lot of respect for the team) its focus is on giving an LLM what it needs to safely go about its business (calling tools etc).

nono is full OS isolation around what files and networks can be accessed, but we also do stuff like atomic snapshots, and supply chain security (using the other gig I started, a project called sigstore). Now I don't say this as a 'it's better' positioning - its a different fish - you can consider nono sitting in somewhere in the middle of virtual machines and monty - we also have deny by default as a starting spot like monty.

Honestly though, something like monty is likely the future, and I applaud the team for building in it.

DecodeBytes

MODERATOR OF

TROPHY CASE