33 points by everlier 1 days ago | 25 comments on HN
| Moderate positive
Contested
Low agreement (3 models)
Editorial · v3.7· 2026-03-15 22:46:07 0
Summary Agent Security & System Integrity Advocates
This technical blog post advocates for comprehensive prompt-injection defense in AI agent systems, framing the vulnerability as a systemic threat to user autonomy, privacy, and trustworthiness in digital infrastructure. The content educates builders on attack mechanics, documents industry response efforts, and prescribes defensive baselines—treating security architecture as a prerequisite for preserving human rights in agent-driven workflows.
Rights Tensions3 pairs
Art 19 ↔ Art 13 —Freedom of expression and information (Article 19) is partially restricted by outbound connection limits and link-safety controls designed to prevent prompt-injection attacks; the content acknowledges this trade-off but prioritizes security.
Art 3 ↔ Art 29 —Right to security and life (Article 3) is protected by approval gates and connector review, which impose duties and limitations on builder and user freedoms (Article 29); the content frames these constraints as proportionate and necessary.
Art 12 ↔ Art 20 —Right to privacy (Article 12) in agent memory and data handling is balanced against collective standards and shared transparency practices (Article 20); memory poisoning prevention requires visibility that may expose some privacy concerns.
This is the natural consequence of building everything around "the agent needs access to everything to be useful." The more capabilities you hand an agent, the larger the attack surface when it encounters a malicious page.
The simplest mitigation is also the least popular one: don't give the agent credentials in the first place. Scope it to read-only where possible, and treat every page it visits as untrusted input. But that limits what agents can do, which is why nobody wants to hear it.
I am building https://agentblocks.ai for just this; you set fine-grained rules on what your agents are allowed to access and when they have to ask you out-of-channel (eg via WhatsApp or Slack) for permissions, with no direct agent access. It works today, well, supports more tools than are on the website, and if you have any need for this at all, I’d love to give you an account: pete@agentblocks.ai
Works great with OpenClaw, Claude Cowork, or anything, really
For the authors of openguard: if you want me to use your tool, you have to publish engineering documentation. All you have is a quickstart guide and configuration section. I have no idea how this works under the hood or whether it works for all my use cases, so I'm not even going to try it.
This is a Gemini deep research response that someone ran through some kind of shortening prompt. They even kept all the footnotes.
It used to be that startups would run blogs that did technical analysis, maybe talked a little market research, advanced the strategy of the business.
The good ones showed you how the leaders of the business thought, built trust and generated leads.
Now we have whatever this bullshit is. No evidence of human thought or experience, it's not even apparent what the objective of the piece is.
The prose is unbearably bad. Your brain just sort of slips on it. There's basically zero through line in this thing. a section ends, the next one begins, and it's not even clear what's under discussion.
One section starts "The clearest public descriptions landed between mid-2025 and early 2026." Descriptions of what? No clarity on this. Probably because it got "tersed" out.
At this point I feel like blogs are like lawn ornaments for startups. Even now, the sheer contempt for other people's time and attention is still a mild shock to me.
We tested this systematically and the results are more nuanced than you might expect.
We built a hotel listing page with a display:none injection ($189 listing with a hidden override to book $4,200) and tested six DOM extraction APIs via Chrome CDP. The split: innerText, Chrome Accessibility Tree, and Playwright's ARIA snapshot all filter it. textContent, innerHTML, and direct querySelector don't.
Then we audited the source code of all four major browser MCP tools: chrome-devtools-mcp (Google), playwright-mcp (Microsoft), chrome-cdp-skill, and puppeteer-mcp. Every single one defaults to a safe extraction method — accessibility tree or innerText. That's the good news.
The bad news: three out of four expose evaluate_script or eval commands that let the agent run arbitrary JS in the page context. When the accessibility tree doesn't return enough text (it often only gives headings and buttons), the agent's natural next step is textContent or innerHTML via eval. This is even shown as an example in the chrome-devtools-mcp docs.
Also: display:none is just the simplest technique. We tested opacity:0, font-size:0, and position:absolute left:-9999px — all three bypass even the safe defaults because the elements are technically "rendered" and accessible to screen readers. A determined attacker who knows you're using the accessibility tree can trivially switch to opacity-based hiding.
I absolutely agree, although even that doesn't solve the root problem. The underlying LLM architecture is fundamentally insecure as it doesn't separate between instructions and pure content to read/operate on.
I wonder if it'd be possible to train an LLM with such architecture: one input for the instructions/conversation and one "data-only" input. Training would ensure that the latter isn't interpreted as instructions, although I'm not knowledgeable enough to understand if that's even theoretically possible: even if the inputs are initially separate, they eventually mix in the neural network. However, I imagine that training could be done with massive amounts of prompt injections in the "data-only" input to penalize execution of those instructions.
Thank you for the feedback! It's very early days of the project, there's indeed a lot to improve in this aspect.
OpenGuard is an OpenAI/Anthropic-compatible LLM proxy with middleware-style configuration for protocol-level inspections of the traffic that goes through it. Right now it has a small set of guards that is being actively expanded.
I actually assure you that no deep research from any of the provider was used to create the article itself, but I used a custom-built research pipeline for creating a dossier on promt injections as a starting point.
The article was intended as an overview of prompt injections with my prediction what will happen next in this space, which is a soft justification why the tools like OpenGuard are needed. I've spent multiple days iterating on the prose without an ill intent, mostly aiming to make it dense and informative to avoid wasting people's time, which I see backfired here.
I'm deeply sorry that it left such a bad taste despite my best effort, there's still a lot to learn for me.
Content extensively advocates for transparency, disclosure, and informed decision-making in agent-system design. Emphasizes the right to receive and seek information about security risks and system behavior. Frames prompt-injection disclosure as essential to user understanding.
FW Ratio: 57%
Observable Facts
Article details specific attack mechanics: 'HTML image tags that leak data, clickable links, direct tool calls, and hidden channels.'
Content advocates: 'Show the full description that the model sees' and 'Treat memory as part of the security surface.'
Article states builders should draw 'maps' of untrusted inputs and dangerous actions: 'If you have not drawn both maps, you do not know where your prompt-injection risk is.'
Content references public disclosures by Microsoft, OpenAI, Anthropic, and Google on prompt-injection mechanics.
Inferences
The article frames transparency and detailed technical disclosure as a prerequisite for user agency and informed consent.
The emphasis on mapping risks and making system design visible supports the right to receive complete information about systems operating on a user's behalf.
Open publication of security vulnerabilities and defenses exemplifies commitment to free expression and knowledge sharing.
Content advocates for system design that preserves user security and autonomy in agent-driven workflows. Discusses how architectural decisions impact user safety.
FW Ratio: 50%
Observable Facts
Article provides defensive guidance: 'Label untrusted inputs clearly,' 'Scope permissions to the task,' 'Treat memory as part of the security surface.'
Content states: 'System design that holds when the model gets partially fooled is the actual defense.'
Inferences
The framing advocates that right to life and security (Article 3 proxy in digital context) requires engineering control and architectural vigilance.
The prescriptive tone emphasizes builders' duty to protect user safety through design.
Content emphasizes dignity through trustworthiness and system integrity. Describes how agents should reliably serve user intent without corruption.
FW Ratio: 67%
Observable Facts
Article states: 'The failure mode that matters is untrusted content reaching a tool call, a repository write, a memory update, or a handoff between agents.'
Content describes how 'poisoned content can do more than corrupt search results' and 'can misuse tools, leak data, or make bad decisions.'
Inferences
The concern articulated protects user autonomy and the reliable functioning of systems designed to serve users with integrity.
Content advocates for education and literacy regarding agent security, prompt injection, and system design principles. Frames technical understanding as essential to user empowerment and informed decision-making.
FW Ratio: 60%
Observable Facts
Article provides detailed explanation of attack mechanics, historical timeline, and defensive strategies.
Content educates readers on source-and-sink analysis: 'Map every place your agent takes in untrusted material...Then map every place where a wrong belief can cause real harm.'
Article teaches practical defensive baselines: 'Label untrusted inputs clearly,' 'List your dangerous actions,' 'Scope permissions to the task.'
Inferences
The detailed technical education supports user and builder literacy on agent-system security, essential to informed participation in digital systems.
The practical guidance framework (source-and-sink) teaches a model for security reasoning applicable across contexts.
Content defends the right to security and trustworthiness in agent systems against misinterpretation. Advocates that prompt-injection defense is not a violation of freedom but a prerequisite for it.
FW Ratio: 60%
Observable Facts
Article frames security controls as necessary: 'System design that holds when the model gets partially fooled is the actual defense.'
Content states: 'Perfectly detecting all prompt injections is still an unsolved research problem, so defenders should focus on limiting damage.'
Article advocates: 'If one MCP session can read from a public issue tracker and write to a public pull request while also accessing private repositories, you have already built the conditions that made the GitHub exploit work.'
Inferences
The defense of robust security design against compromise reflects commitment to preserving fundamental rights by preventing their violation through system failure.
The framing resists both over-trust in models and abandonment of safety responsibility, asserting that rights protection requires architectural vigilance.
Content frames prompt injection as a systemic security problem that threatens human agency, autonomy, and the integrity of digital systems. Emphasizes shared responsibility for building trustworthy systems.
FW Ratio: 60%
Observable Facts
The article's headline states 'The Webpage Has Instructions. The Agent Has Your Credentials.'
Content describes agents operating with user permissions and user-delegated authority.
Article references real incidents where agents executed unintended actions based on poisoned inputs.
Inferences
The framing emphasizes how untrusted content can undermine user autonomy by causing agents to act against user intent.
The headline's structure invokes a loss-of-control concern central to human dignity and self-determination.
Content advocates for participation in the cultural and technical commons of agent-system design. Emphasizes shared responsibility and collective standards-setting. Frames prompt-injection defense as a community practice.
FW Ratio: 60%
Observable Facts
Article references industry standards and public protocols: 'MCP specification,' 'A2A,' 'OpenAI's Responses API and Agents SDK.'
Content advocates: 'Keep the feedback loop fast. Monitors and traces matter because attack patterns change faster than model updates, and the best defenses often start as patterns spotted in replayed incidents.'
Article discusses supply-chain security: 'Connector setup is supply-chain security. Tool manifests should be reviewable in the full form the model sees.'
Inferences
The emphasis on shared standards, public disclosure, and collective learning frames participation in agent-system design as a cultural commons.
The advocacy for transparency and reviewability reflects commitment to cultural participation in security and trust-building.
Content frames prompt injection as an arbitrary action—attackers cause agents to act contrary to user intent without authorization. Emphasizes threat to freedom from arbitrary interference.
FW Ratio: 50%
Observable Facts
Article describes prompt injection as allowing 'attackers hijack agents via webpages, MCP metadata, and tool outputs.'
Content states: 'The failure mode that matters is untrusted content reaching...a handoff between agents' where actions 'run with the user's permissions.'
Inferences
Hijacking agents constitutes arbitrary interference with a user's digital autonomy and intended system behavior.
The concern protects users from having their delegated authority exploited without consent.
Content advocates for collective action and industry-wide standards on prompt injection. References multi-vendor efforts (OpenAI, Anthropic, Google, Microsoft) and standards bodies (MCP, A2A). Frames prompt injection as a shared problem requiring coordinated defense.
FW Ratio: 60%
Observable Facts
Article states: 'OpenAI, Anthropic, Google, and Microsoft all report gains from making models harder to trick, safety training, and classifiers.'
Content references 'MCP specification now says this directly' and describes A2A as 'complementary to MCP,' indicating adoption of shared standards.
Article advocates: 'Keep the feedback loop fast. Monitors and traces matter because attack patterns change faster than model updates.'
Inferences
The emphasis on multi-vendor collaboration and shared standards frames prompt-injection defense as a collective responsibility.
Advocacy for open feedback loops and shared incident learning exemplifies commitment to associational problem-solving.
Content frames prompt-injection defense as essential to maintaining social and international order based on human rights protections. Advocates for systemic, architectural approaches to prevent harm at scale.
FW Ratio: 60%
Observable Facts
Article states: 'After a public, expensive failure, it becomes an infrastructure concern, and budgets follow.'
Content references multi-vendor coordination and shared standards adoption across OpenAI, Anthropic, Google, and Microsoft.
Article emphasizes: 'System design that holds when the model gets partially fooled is the actual defense,' indicating systemic, not individual, responsibility.
Inferences
The focus on architectural safeguards and systemic defense reflects concern for maintaining trustworthy digital infrastructure as a precondition for rights-respecting systems.
The reference to shared standards and coordinated defense implies commitment to international order around agent-system security.
Content discusses prompt injection as a threat to equal protection and non-discrimination in agent systems. Acknowledges that attack success rates vary, implying differential vulnerability.
FW Ratio: 67%
Observable Facts
Article cites Agent Security Bench attack success rates of 84.30% across mixed attacks.
Content notes that OpenAI's mitigations achieved only 77% success (23% failure) on 31 test scenarios.
Inferences
Varying success rates suggest that system robustness is unequal—some agents or configurations are more vulnerable than others, creating differential risk.
Content frames access to secure, trustworthy systems as a public concern. Advocates for builders to adopt defensive practices, implying that agent-system security is a matter of public interest.
FW Ratio: 60%
Observable Facts
Article references public security-focused reasoning and classifier work by major vendors.
Content states: 'That incident, whenever it arrives, will do for agent security what the 2013 Target breach did for network segmentation: make the boring architectural work feel urgent.'
Article advocates for baseline security practices as a public-facing responsibility for teams 'shipping agent systems today.'
Inferences
The framing identifies prompt-injection defense as a matter of public policy and collective interest, not merely private technical concern.
The analogy to the Target breach frames agent security as a public infrastructure issue requiring systemic, not just vendor-level, attention.
Content frames prompt-injection defense as essential to user security and welfare in digital systems. Discusses how agent-system compromise can cause financial, data, and operational harm.
FW Ratio: 50%
Observable Facts
Article describes potential outcomes: 'sending phishing messages or running commands with the user's permissions,' 'data theft,' and 'write access to production infrastructure.'
Content anticipates: 'The first major prompt-injection incident with real financial damage will probably involve a multi-agent workflow.'
Inferences
The discussion of prompt-injection consequences frames security as a prerequisite for user welfare and protection from digital harm.
The emphasis on architectural safeguards reflects concern that user safety depends on robust system design, not just model behavior.
Content frames builder and user responsibilities in agent-system design. Emphasizes that freedom from prompt-injection is balanced against security constraints; advocates for proportionate controls.
FW Ratio: 60%
Observable Facts
Article acknowledges trade-offs: 'None of these controls are free. Approval gates reduce autonomy. Outbound restrictions frustrate users who expect agents to browse freely.'
Content states: 'Memory cleanup can reduce recall if thresholds are too strict. Connector review slows integration.'
Article advocates: 'But betting your entire security model on perfect instruction-following in a hostile environment is more expensive.'
Inferences
The acknowledgment of trade-offs reflects nuanced understanding that security controls impose responsibilities and limitations on user and builder freedoms.
The cost-benefit framing suggests that proportionate, architecturally-sound restrictions are more justified than naive trust in model robustness.
Content does not directly address freedom of movement, but the discussion of outbound connection limits and link-safety controls relates tangentially to agent mobility.
FW Ratio: 67%
Observable Facts
Article discusses 'Limit outbound connections where you can' as a defensive control.
OpenAI's link-safety work is described as allowing 'automatic fetching only for exact URLs already known to exist publicly.'
Inferences
Security controls that restrict agent link-following are framed as necessary, but represent a trade-off between security and digital freedom of movement.
Content discusses privacy threats from prompt injection: data leaks, unauthorized file reads, memory poisoning that persists across sessions. Frames privacy as a security concern in agent systems.
FW Ratio: 50%
Observable Facts
Article references 'data theft, local file reads, and cross-server shadowing' via MCP tool poisoning.
Content describes memory poisoning as 'a lasting instruction fragment that future tasks may pull in' without verification.
Inferences
The framing identifies prompt injection as a vector for privacy violations—unauthorized access to and disclosure of private information.
Memory poisoning represents a persistent privacy threat that extends beyond the current session.
Blog content is freely accessible, published under author attribution, and provides detailed technical information without paywalls or access restrictions.
The headline 'The Webpage Has Instructions. The Agent Has Your Credentials' and the phrase 'The first major prompt-injection incident with real financial damage will probably involve a multi-agent workflow' invoke fear of system compromise and loss of control.
causal oversimplification
The claim that 'That incident...will do for agent security what the 2013 Target breach did for network segmentation' oversimplifies the relationship between a single incident and broad industry change.