IsolateGPT runs individual tools in isolated containers, to ensure that tools cannot interact with components outside of their execution environments. Then to enable interaction between sandboxed tools, it allows apps to exchange messages only via a central trustworthy module

Our security architecture, named IsolateGPT, tackles these challenges. IsolateGPT assumes an LLM-based digital assistant that supports third-party tools for tasks, such as online shopping, email management, etc. and aims to secure adversarial manipulations between tools

Fundamentally the key issue is that LLMs load instructions from various sources (system, user, tools) in a shared context window where without safeguards, LLMs treat them with the same privileges

For example if a user prompts their LLM-based personal assistant to download and store email attachments in a cloud drive, the LLM can predict the necessary interfacing between email and cloud drive tools to carry out the task