LLM plugins are extensions that operate automatically during user interactions and are driven entirely by the model, without application-level control over their execution. To address context-size limitations, plugins often accept free-text inputs from the model without validation or type checking. This creates an opportunity for attackers to craft malicious requests, potentially leading to severe consequences such as remote code execution, data exfiltration, or privilege escalation.

Remediation

• Implement strict input validation and type checking for all free-text inputs processed by the plugin.
• Use access control mechanisms to restrict plugin functionality based on the principle of least privilege.
• Require explicit authorisation for plugin-to-plugin communication, ensuring trust is established and verified.
• Enforce sandboxing for plugin execution to isolate plugins and prevent them from affecting the broader system.