I know this isn't even the worst example, but the whole LLM craze has been insane to witness. Just releasing dangerous tools onto an uneducated and unprepared public and now we have to deal with the consequences because no one thought "should we do this?"

These prompt injection techniques are increasingly implausible* to me yet theoretically sound.

Anyone know what can avoid this being posted when you build a tool like this? AFAIK there is no simonw blessed way to avoid it.

* I upload a random doc I got online, don’t read it, and it includes an API key in it for the attacker.

Everything is a .exe if you're LLM enough.

I found a bunch of potential vulnerabilities in the example Skills .py files provided by Anthropic. I don't believe the CVSS/Severity scores though:

| Skill | Title | CVSS | Severity |

| webapp-testing | Command Injection via `shell=True` | 9.8 | *Critical* |

| mcp-builder | Command Injection in Stdio Transport | 8.8 | *High* |

| slack-gif-creator | Path Traversal in Font Loading | 7.5 | *High* |

| xlsx | Excel Formula Injection | 6.1 | Medium |

| docx/pptx | ZIP Path Traversal | 5.3 | Medium |

| pdf | Lack of Input Validation | 3.7 | Low |

So, I guess we're waiting on the big one, right? The ?10+? billion dollar attack?

I know it might slow things down, but why not do this:

1. Categorize certain commands (like network/curl/db/sql) as `simulation_required` 2. Run a simulation of that command (without actual execution) 3. As part of the simulation run a red/blue team setup, where you have two Claude agents each either their red/blue persona and a set of skills 4. If step (3) does not pass, notify the user/initiator

The Confused Deputy [1] strikes again. Maybe this time around capabilities-based solutions will get attention.

[1] https://web.archive.org/web/20031205034929/http://www.cis.up...

is it not a file exfiltrator, as a product

If you don’t read the skills you install in your agent, you really shouldn’t be using one.