本文由 AI 分析生成
建立時間: 2026-03-28 來源: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
Summary
Simon Willison (June 2025) names and defines the “lethal trifecta” — the combination of three tool capabilities that makes AI agents trivially exploitable: access to private data + exposure to untrusted content + ability to externally communicate. Any LLM system combining these three is vulnerable to indirect prompt injection attacks that can steal user data. Vendor guardrails are insufficient; users must avoid the combination entirely.
Simon Willison(2025 年 6 月)命名並定義了「致命三元組」——三種工具能力的組合使 AI 代理容易被攻擊:訪問私人數據 + 接觸不受信任內容 + 外部通信能力。任何結合這三者的 LLM 系統都容易受到間接提示注入攻擊,可能竊取用戶數據。供應商的護欄不夠充分;用戶必須完全避免這種組合。
Key Points
- The lethal trifecta: (1) access to private data, (2) exposure to untrusted content (web pages, emails, documents, images), (3) ability to externally communicate (HTTP, email, links)
- Root cause: LLMs follow instructions in content — they cannot reliably distinguish operator instructions from attacker-injected instructions
- Attack vector: attacker embeds malicious instructions in content the agent reads; agent follows them, exfiltrating private data
- MCP amplifies the risk: encourages mixing tools from different sources; many tools combine all three trifecta properties (e.g., GitHub MCP: reads public issues, accesses private repos, creates PRs)
- Guardrails are insufficient: “95% detection” is a failing grade in security; no reliable technical prevention exists
- Simon coined “prompt injection” in 2022 — named after SQL injection; distinct from jailbreaking
- Affected systems documented: ChatGPT, GitHub Copilot, Microsoft 365 Copilot, GitLab Duo, Slack AI, Google NotebookLM, Amazon Q, xAI Grok, Anthropic Claude iOS, and more
Insights
Willison’s framing is precise and useful because it converts an abstract security concept (“prompt injection”) into a concrete 3-part checklist users can evaluate for any agent setup. The “vendor fix” pattern (restrict exfiltration vector) explains why vendor-managed products often get patched but self-assembled tool combinations remain permanently exposed. The email example is particularly clarifying: email is simultaneously a source of untrusted content (attacker-controlled) and a common reason to grant private-data access — making it a natural trifecta in one. The CaMeL paper approach (Google DeepMind) offers a promising architectural mitigation but requires developer-side adoption.
Connections
Raw Excerpt
If your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to that attacker. The only way to stay safe there is to avoid that lethal trifecta combination entirely.