If done in chat, it's just an alternative to talking to you freeform. Consider Claude Code's multiple-choice questions, which you can trigger by asking it to invoke the right tool, for example.

▲

DannyBee 14 hours ago | parent [-]

None of the issues go away just because it's in chat?

Freeform looks and acts like text, except for a set of things that someone vetted and made work.

If the interactive diagram or UI you click on now owns you, it doesn't matter if it was inside the chat window or outside the chat window.

Now, in this case, it's not arbitrary UI, but if you believe that the parsing/validation/rendering/two way data binding/incremental composition (the spec requires that you be able to build up UI incrementally) of these components: https://a2ui.org/specification/v0.9-a2ui/#standard-component...

as transported/renderered/etc by NxM combinations of implementations (there are 4 renderers and a bunch of transports right now), is not going to have security issues, i've got a bridge to sell you.

Here, i'll sell it to you in gemini, just click a few times on the "totally safe text box" for me before you sign your name.

My friend once called something a babydoggle - something you know will be a boondoggle, but is still in its small formative stages.

This feels like a babydoggle to me.

	▲	vidarh 11 hours ago \| parent [-]
		> None of the issues go away just because it's in chat? There is a wast difference in risk between me clicking a button provided by Claude in my Claude chat, on the basis of conversations I have had with Claude, and clicking a random button on a random website. Both can contain a malicious. One is substantially higher risk. Separately, linking a UI constructed this way up to an agent and let third parties interact with it, is much riskier to you than to them. > If the interactive diagram or UI you click on now owns you, it doesn't matter if it was inside the chat window or outside the chat window. In that scenario, the UI elements are irrelevant barring a buggy implementation (yes, I've read the rest, see below), as you can achieve the same things as you can do that way with just presenting the user with a basic link and telling them to press it. > as transported/renderered/etc by NxM combinations of implementations (there are 4 renderers and a bunch of transports right now), is not going to have security issues, i've got a bridge to sell you. I very much doubt we'll see many implementations that won't just use a web view for this, and I very much doubt these issues will even fall in the top 10 security issues people will run into with AI tooling. Sure, there will be bugs. You can use this argument against anything that requires changes to client software. But if you're concerned about the security of clients, mcp and hooks is a far bigger rats nest of things that are inherently risky due to the way they are designed.