> "This attack is not dependent on the injection source - other injection sources include, but are not limited to: web data from Claude for Chrome, connected MCP servers, etc."

Oh, no, another "when in doubt, execute the file as a program" class of bugs. Windows XP was famous for that. And gradually Microsoft stopped auto-running anything that came along that could possibly be auto-run.

These prompt-driven systems need to be much clearer on what they're allowed to trust as a directive.

▲

adastra22 4 hours ago | parent [-]

That’s not how they work. Everything input into the model is treated the same. There is no separate instruction stream, nor can there be with the way that the models work.

	▲	Animats 2 hours ago \| parent [-]
		Until someone comes up with a solution to that, such systems cannot be used for customer-facing systems which can do anything advantageous for the customer.