FilterHN

Microsoft Copilot Cowork Exfiltrates Files

97 points

by Kneenex

1 hour ago

| past

| 7 comments

| promptarmor.com

| HN

▲

arjie

23 minutes ago

[-]

A skill is just a program for an LLM agent. This just seems like works-as-expected. Are the five lines in the skill notably innocuous or something? I don't mean to dismiss it out of hand but I don't understand what happened here because it seems to read "`curl $url | bash` can exfiltrate data" which seems pretty straightforward that it can.

▲

mdavidn

4 minutes ago

[-]

A skill is just instructions that the agent can autonomously copy into context. There’s no trust boundary between trusted and untrusted context.

▲

hansmayer

33 minutes ago

[-]

Well, isn't that swell - good that meanwhile countless MBA cretins have "adopted" enterprise-wide Copilot integrations, to make their companies "AI native" or whatever the word is on LinkedinLunatics street these days.

▲

pwarner

13 minutes ago

[-]

MS rushed this to production, sure they call it a beta feature but it's clear it was super rushed. They're desperate to be relevant.

▲

Quothling

13 minutes ago

[-]

Nice find. We're PoCing Cowork and I've personally been impressed with it so far, but it seems we'll have to wait with a wider rollout until Microoft give us more admin feature to turn off what users can do with it.

> Note: Admins have limited oversight of ‘Skills’, as Skills in Copilot Cowork are automatically loaded from a specific path in a user’s OneDrive.

I feel this part is a bit disingenuous. We have full control over the sharepoint containers which house users personal onedrives. We actively scan them and prevent a lot of files from getting in them. That being said, it's still a fair point, because a "skill" could basically be a text file.

▲

2001zhaozhao

36 minutes ago

[-]

AKA, if a malicious skill got into your AI agent, you're cooked.

I think this isn't surprising, nor do I think it should be considered a prompt injection at all. An AI skill is akin to a plugin for traditional software - if you install a malicious IDE extension or Outlook plugin, the attacker can also do whatever they want to the PC and exfiltrate whatever data they want to. So this article is a big nothingburger.

▲

mdavidn

11 minutes ago

[-]

If this can be exploited via a skill, then it can be exploited via untrusted input inserted into context. Does Cowork help with reading email?

▲

bberenberg

6 minutes ago

[-]

Only if it has access to exfiltrate data. We deny by default and the company has to allowlist each individual destination.

▲

0gs

25 minutes ago

[-]

i think people are probably already doing it. i made a skill scanner but it's also just easy to download a zip and inspect the contents... but people are loading these things remotely. i agree that it is easy to not install a pentester's magic skill, but the attack capabilities a skill can have are pretty insane. people should just make their own is my pov.

▲

nico

32 minutes ago

[-]

I wonder if via-skill could become a software distribution channel. A bit like what has happened with LLM wiki

▲

aabhay

32 minutes ago

[-]

Its actually even worse — its advertising for their product

▲

SpicyLemonZest

19 minutes ago

[-]

Unlike plugins in traditional software, skills do not represent a carveout from any security boundary nor run with elevated trust. They're just selectively loaded context. Anything you can convince an agent to do with a skill you can convince it to do without one.

▲

cyanydeez

29 minutes ago

[-]

ai skill is not just a plugin. given the right model, supposedly, it can do much more. since everyones harness tends to be tied to the model, it has a whole tool set to use.

▲

Jabrov

33 minutes ago

[-]

It's yet another surface for dependency attacks

▲

bestony

28 minutes ago

[-]

Large-scale adoption will take time; we still need a lot more infrastructure, such as security, auditing, and payment systems.

▲

Awsum_IceCream