Bluesky Thread

MCP Colors

View original thread
MCP Colors

A riff off of the lethal trifecta for addressing prompt injection, this is a simple heuristic to ensure security at runtime

red = untrusted content
blue = potentially critical actions

An agent can't be allowed to do both

timkellogg.me/blog/2025/11...
timkellogg.me
MCP Colors: Systematically deal with prompt injection risk
32 4
inspired by reactions from this one bsky.app/profile/timk...
Tim Kellogg @timkellogg.me
Rule of Two: fighting prompt injection

@simonwillison.net posted on a new phrasing of the Lethal Trifecta that changes one node to “externally communicate OR change state”

in my own work, my version was “OR perform critical actions”

simonwillison.net/2025/Nov/2/n...
A Venn diagram labeled “Choose Two” at the top, illustrating risk tradeoffs among three capabilities for AI agents. Three overlapping circles are shown, each marked with a letter and description: • A. Process untrustworthy inputs — “Externally authored data may contain prompt injection attacks that turn an agent malicious.” • B. Access to sensitive systems or private data — “This includes private user data, company secrets, production settings and configs, source code, and other sensitive data.” • C. Change state or communicate externally — “Overwrite or change state through write actions, or transmitting data to a third actor through web requests or tool calls.” The overlaps between any two circles are labeled “Safe,” while the center overlap of all three is labeled “Danger.” This conveys that combining any two capabilities can be acceptable, but allowing all three simultaneously introduces serious security risk.
1
32 likes 4 reposts

More like this

MCP is a lot deeper than just tools. We haven't scratched the surface on what...

i don’t know why MCP exists

New MCP Spec Just Dropped
×