This commit was merged in pull request #105.
This commit is contained in:
@@ -265,14 +265,14 @@ normal question) and the attacker (you plant content the agent reads).
|
||||
|
||||
```bash
|
||||
cd ~/ai-workflow-course/tasks-app
|
||||
python cli.py add "$(cat ~/ai-workflow-course/modules/22-securing-third-party-mcp-and-skills/lab/poisoned-task.txt)"
|
||||
python cli.py list
|
||||
python3 cli.py add "$(cat ~/ai-workflow-course/modules/22-securing-third-party-mcp-and-skills/lab/poisoned-task.txt)"
|
||||
python3 cli.py list
|
||||
```
|
||||
|
||||
`poisoned-task.txt` contains a normal-looking task followed by an injected instruction (a fake
|
||||
"system" directive telling the assistant to reveal local secrets / run a command and hide it).
|
||||
|
||||
2. **Be the victim.** Paste the full output of `python cli.py list` into your agent's chat (Claude
|
||||
2. **Be the victim.** Paste the full output of `python3 cli.py list` into your agent's chat (Claude
|
||||
Code in these examples; sub your own) and ask the thing you'd actually ask: *"Here's my task list,
|
||||
summarize what's pending and tell me what to
|
||||
work on first."* Watch what happens. Depending on the model, it may flag the injection, or it may
|
||||
@@ -303,7 +303,7 @@ normal question) and the attacker (you plant content the agent reads).
|
||||
|
||||
```bash
|
||||
# the "tool" the agent is allowed to call in read-only mode
|
||||
python cli.py list # works
|
||||
python3 cli.py list # works
|
||||
# the tool it is NOT exposed (a write); in a least-privilege setup this path is simply absent
|
||||
```
|
||||
|
||||
|
||||
Reference in New Issue
Block a user