# PS - Exploiting LLM APIs with excessive agency * Access the lab [here](https://portswigger.net/web-security/llm-attacks/lab-exploiting-llm-apis-with-excessive-agency) ## Instructions ![Instructions](/files/lEiClsh26idmmI4jqmk1) ## What is excessive agency Excessive Agency in an LLM (Large Language Model) refers to a security vulnerability where the LLM performs actions that go beyond its intended scope or permissions. Imagine you hire a personal assistant whose job is to read your emails and summarize them for you. * Appropriate Agency: The assistant reads your emails and gives you a concise summary. That's it. * Excessive Agency: You ask the assistant to summarize an email, but because they also have access to your email sending function (even if they weren't supposed to use it for this task), they decide to send a new email to someone else based on something in the summary, without your explicit instruction or permission. Or, perhaps they have access to your bank account viewing tool, and suddenly decide to transfer money because they misinterpret a request. In the context of LLMs, this often happens when: * Excessive Functionality: The LLM is given access to tools or plugins that have more capabilities than strictly necessary for its purpose (e.g., a "read email" tool also has "send email" functionality). * Excessive Permissions: The LLM's underlying tools connect to systems (like a database) with more privileges than needed (e.g., a tool designed to read data has write or delete permissions). * Excessive Autonomy: The LLM is allowed to make high-impact decisions or take actions without sufficient human oversight or confirmation (e.g., deleting data without asking for user approval). It's essentially the LLM being able to "do too much" with the access it has, leading to unintended and potentially harmful consequences like data breaches, system modifications, or unauthorized actions. ## Resolution The chat below, is basically what it took to solve the lab: ![Delete Carlos](/files/SE61skxLwqzFg1lqRtQc) See here how it gives Carlos' password as well so easily Lab is solved! :D ![Solved](/files/y5SkXdmbsdjkYxQoTku5) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/writeups/ps-web-llm/ps-excessive-agency.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.