zlacker

The risk isn't from the AI labs. It's from malicious attackers who sneak instructions to coding agents that cause them to steal your data, including your environment variable secrets - or cause them to perform destructive or otherwise harmful actions using the permissions that you've granted to them.

replies(2): >>keepam+yy >>gillh+IX1

>>simonw+(OP)
Simon, I know you're the AI bigwig but I'm not sure that's correct. I know that's the "story" (but maybe just where the AI labs would prefer we look?). How realistic is it really that MCP/tools/web search is being corrupted by people to steal prompts/convos like this? I really think this is such low prop. And if it does happen, the flaw is the AI labs for letting something like this occur.

Respect for your writing, but I feel you and many others have the risk calculus here backwards.

replies(2): >>saagar+cA >>simonw+wE

>>keepam+yy
AI labs currently have no solution for this problem and have you shoulder the risk for it.

replies(1): >>keepam+QD

>>saagar+cA
Evidence?

replies(2): >>simonw+3E >>saagar+jE

>>keepam+QD
If they had a solution for this they would have told us about it.

In the meantime security researchers are publishing proof of concept data exfiltration attacks all the time. I've been collecting those here: https://simonwillison.net/tags/exfiltration-attacks/

>>keepam+QD
I worked on this for a company that got bought by one of the labs (for more than just agent sandboxes, mind you).

replies(2): >>keepam+f53 >>keepam+QZ3

>>keepam+yy
Every six months I predict that "in the next six months there will be a headline-grabbing example of someone pulling off a prompt injection attack that causes real economic damage", and every six months it fails to happen.

That doesn't mean the risk isn't there - it means malicious actors have not yet started exploiting it.

Johann Rehberger calls this effect "The Normalization of Deviance in AI", borrowing terminology from the 1986 Space Shuttle Challenger disaster report: https://embracethered.com/blog/posts/2025/the-normalization-...

Short version: the longer a company or community gets away with behaving in an unsafe way without feeling the consequences, the more they are likely to ignore those risks.

I'm certain that's what is happening to us all today with coding agents. I use them in an unsafe way myself.

>>simonw+(OP)
We also use proxies with CodeRabbit’s sandboxes. Instead of using tool calls, we’ve been using LLM-generated CLI and curl commands to interact with external services like GitHub and Linear.

>>saagar+jE
[flagged]

replies(1): >>saagar+Bh3

>>keepam+f53
We didn’t solve the problem.

>>saagar+jE
Wait, let me get this straight: “there’s no solution” to this apparent giant problem but you work for a company that got bought by an AI corp because you had a solution? Make it make sense.

If you did not solve it why were you bought?

replies(1): >>saagar+5q7

>>keepam+QZ3
I worked for a company that got bought because they were working on a number of problems of interest to the acquirer. As many of these were hard problems, our efforts on them and progress was more than enough.

replies(1): >>keepam+pXa

>>saagar+5q7
OK. Do you know if many AI labs are purchasing in this space? Was your acquisition an outlier or part of a wider trend? Thank you

replies(1): >>saagar+dBj

>>keepam+pXa
I think if you’re good at this most AI labs would be interested but I can’t speak for them obviously