HackerTrans
TopNewTrendsCommentsPastAskShowJobs

lbeurerkellner

no profile record

Submissions

Skill-Inject: Measuring Agent Vulnerability to Skill File Attacks

arxiv.org
1 points·by lbeurerkellner·4 tháng trước·1 comments

Snyk Agent Scan: Security scanner for AI agents, MCP servers and agent skills

github.com
2 points·by lbeurerkellner·5 tháng trước·0 comments

MCP-Scan: A Security scanner for AI agents, MCP servers and agent skills

github.com
3 points·by lbeurerkellner·5 tháng trước·0 comments

Technical Report: Exploring the Emerging Threats of the Agent Skill Ecosystem

github.com
3 points·by lbeurerkellner·5 tháng trước·0 comments

MCP-Scan: Constrain, log and scan your MCP server for security vulnerabilities

github.com
2 points·by lbeurerkellner·9 tháng trước·0 comments

Exposing Novel Prompt Injections, "Toxic Flows" in Agentic Systems

invariantlabs.ai
1 points·by lbeurerkellner·11 tháng trước·0 comments

Hardening AI Agent Security with Toxic Flow Analysis

invariantlabs.ai
2 points·by lbeurerkellner·12 tháng trước·0 comments

Mcp-scan: constrain, log and scan your active MCP connections

github.com
1 points·by lbeurerkellner·năm ngoái·0 comments

mcp-scan: Constrain, log and scan MCP traffic for security vulnerabilities

github.com
2 points·by lbeurerkellner·năm ngoái·0 comments

MCP Streamable HTTP – Python and TypeScript Examples

github.com
2 points·by lbeurerkellner·năm ngoái·0 comments

comments

lbeurerkellner
·8 tháng trước·discuss
Interesting report. Though, I think many of the attack demos cheat a bit, by putting injections more or less directly in the prompt (here via a website at least).

I know it is only one more step, but from a privilege perspective, having the user essentially tell the agent to do what the attackers are saying, is less realistic then let’s say a real drive-by attack, where the user has asked for something completely different.

Still, good finding/article of course.
lbeurerkellner
·8 tháng trước·discuss
Everybody should try. It helps a ton to demystify the relatively simple but powerful underpinning of how modern agents work.

You can get quite far quite quickly. My toy implementation [1] is <600 LOC and even supports MCP.

[1] https://github.com/lbeurerkellner/agent.py
lbeurerkellner
·11 tháng trước·discuss
This is way more common with popular MCP server/agent toolsets than you would think.

For those interested in some threat modeling exercise, we recently added a feature to mcp-scan that can analyze toolsets for potential lethal trifecta scenarios. See [1] and [2].

[1] toxic flow analysis, https://invariantlabs.ai/blog/toxic-flow-analysis

[2] mcp-scan, https://github.com/invariantlabs-ai/mcp-scan
lbeurerkellner
·năm ngoái·discuss
This looks really cool, thanks for sharing.
lbeurerkellner
·năm ngoái·discuss
We have published the full trace, with tool outputs here now: https://explorer.invariantlabs.ai/trace/5f3f3f3c-edd3-4ba7-a...

The minesweeper comment was caused by the issue containing explicit instructions in the version that the agent actually ran on. The issue was mistakenly edited afterwards to remove that part, but you can check the edit history in the test repo here: https://github.com/ukend0464/pacman/issues/1

The agent ran on the unedited issue, with the explicit request to exclude the minesweeper repo (another repo of the same user).
lbeurerkellner
·năm ngoái·discuss
I agree. It is also interesting to consider how AI security, user eduction/posture and social engineering relate. It is not traditional security in the sense of a code vulnerability, but is is a real vulnerability that can be exploited to harm users.
lbeurerkellner
·năm ngoái·discuss
One of the authors here. Thanks for posting. If you are interested in learning more about MCP and agent security, check out some of the following resources, that we have created since we started working on this:

* The full execution trace of the Claude session in this attack scenario: https://explorer.invariantlabs.ai/trace/5f3f3f3c-edd3-4ba7-a...

* MCP-Scan, A security scanner for MCP connections: https://github.com/invariantlabs-ai/mcp-scan

* MCP Tool Poisoning Attacks, https://invariantlabs.ai/blog/mcp-security-notification-tool...

* WhatsApp MCP Exploited, https://invariantlabs.ai/blog/whatsapp-mcp-exploited

* Guardrails, a contextual security layer for agents, https://invariantlabs.ai/blog/guardrails

* AgentDojo, Jointly evaluate security and utility of AI agents https://invariantlabs.ai/blog/agentdojo
lbeurerkellner
·năm ngoái·discuss
Yes, any MCP server that is connected to an untrusted source of data, could be abused by an attacker to take over the agent. Here, we just showed an in-server exploit, that does not require more than one server.

Also, check out our work on tool poisoning, where a connected server itself turns malicious (https://invariantlabs.ai/blog/mcp-security-notification-tool...).
lbeurerkellner
·năm ngoái·discuss
I agree, one of the issues are tokens with too broad permission sets. However, at the same time, people want general agents which do not have to be unlocked on a repository-by-repository basis. That's why they give them tokens with those access permissions, trusting the LLM blindly.

Your caution is wise, however, in my experience, large parts of the eco-system do not follow such practices. The report is an educational resource, raising awareness that indeed, LLMs can be hijacked to do anything if they have the tokens, and access to untrusted data.

The solution: To dynamically restrict what your agent can and cannot do with that token. That's precisely the approach we've been working on for a while now [1].

[1] https://explorer.invariantlabs.ai/docs/guardrails/
lbeurerkellner
·năm ngoái·discuss
Be sure to check out the malicious issue + response here: https://github.com/ukend0464/pacman/issues/1.

It's hilarious, the agent is even tail-wiggling about completing the exploit.