Simon PietersJun 16, 2025
Simon Willison

If you use "AI agents" (LLMs calling tools in a loop) you need to be aware of the Lethal Trifecta

Any time you combine access to private data, exposure to untrusted content and the ability to externally communicate an attacker can trick the system into stealing your data https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

The lethal trifecta for AI agents: private data, untrusted content, and external communication

If you are a user of LLM systems that use tools (you can call them “AI agents” if you like) it is critically important that you understand the risk of …

Simon Willison’s Weblog
Jun 16, 2025 at 1:21pmWeb
Show threadSimon WillisonJun 16, 2025

And yes, this is effectively me trying to get the world to care about prompt injection by trying out a new term for a subset of the problem!

I hope this captures the risk to end users in a more visceral way - particularly important now that people are mixing and matching MCP servers themselves

Show threadSimon WillisonJun 19, 2025
... and Atlassian are the latest company to be added to my collection of examples of the lethal trifecta in action: their newly released MCP server has been demonstrated to allow prompt injection attacks in public issues to steal private data https://simonwillison.net/2025/Jun/19/atlassian-prompt-injection-mcp/
Cato CTRL™ Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk

Stop me if you've heard this one before: A threat actor (acting as an external user) submits a malicious support ticket. An internal user, linked to a tenant, invokes an …

Simon Willison’s Weblog
Show threadgaurvJun 20, 2025
@simon
meanwhile Claude has added Atlassian MCP officially to their list alongside Cloudflare & square
Show threadDan YorkJun 16, 2025

@simon Thanks for writing this. An excellent - and very concerning - explanation of the challenges. It sounds like a lot of folks haven't learned the lessons of the past 30 years when it comes to working with applications. 😞

A lot of people will get burned while people re-learn those lessons.

Show threadLinus GasserJun 17, 2025
@simon Great article. You could summarize it by saying the "lethal duality", as "exposure to untrusted content" most often means "ability to externally communicate". Even if it is only by sending out a GET request to fetch the data. But that is enough to also leak your private data...
Show threadBillJun 16, 2025
@simon Wow, that is ... really good. I haven't yet seen anyone put it that clearly, and I've been looking! Very nice work. I need to sit and absorb for a while.
Show threadDrastic ActionsJun 16, 2025
@simon it’s kinda sad that this needs to be said. I think more devs would think about the input coming in and sanity checking it, or making sure every dependency they bring in does the thing it says when thinking about web APIs or endpoints. But for MCP people seem to throw caution to the wind start adding stuff in without thinking about how it can (quite easily IMO) be abused
Show threadǝʌɐpJun 16, 2025
@simon As it relates to untrusted content, I wonder if we will eventually see models have a second token vocabulary of "admin tokens" for writing out trusted instructions. I wonder if this would work better than putting content in instruction tags, etc. It would be pretty expensive to implement because it extends all the way down to the foundation model. It would also still not be 100% reliable 🤷
Show threadAlmadJun 16, 2025
@simon The past paragraph is a bit depressing: it is kinda sad that vendors are getting away with a behavior I consider essentially gaslighting
Show threadFelix NeumannJun 16, 2025

@almad

You refer to the sentence "vendors are not going to safe us"? Why is it that you think it should be called gaslighting?

In the end, as Simon wrote in the same post, "we still don’t know how to 100% reliably prevent this from happening". For now, the tool (LLMs) needs to be configured and applied very carefully.

@simon

Show threadAlmadJun 16, 2025
@fxnn I mean @simon is not the one doing the gaslighting of course; I meant vendors who I think are not warning of those problems sufficiently, and who outright gaslight users when it comes to LLM capabilities
Show threadCarlton GibsonJun 17, 2025
@simon nice post! You explain it in a way that’s perfect for sharing. Bookmarked for frequent referral. Thanks 🙏