> I read it, and "attack" does not make sense.
Do you believe that describe a SQL injection attack an attack also does not make sense?
That's the thing. LLM or MCP is not a database. You can’t compare it. You simply can't set the permissions or guardrails within LLMs or MCPs. You always do it layer above (scoping to what LLM has access to).
@motorest read again what I wrote: "That's the thing. LLM or MCP is not a database. You can’t compare it. You simply can't set the permissions or guardrails within LLMs or MCPs. You always do it layer above (scoping to what LLM has access to)."
You can not HIDE the data MCP has access to. With a database and SQL, you can! So it can not be comparable with SQL injection.
Absolutly you can - the UX of the whole experience MCP is part of could make it clear to the user what repositories can be accessed according to the project they're working on. Rather than when they're working on the public project, the LLM being given access to repos of the private projects.
> That's the thing. LLM or MCP is not a database. You can’t compare it.
You can. Read the article. A malicious prompt is injected into an issue to trigger the repo owner's LLM agent to execute it with the agent's credentials.
"with the agent's credentials." - so you are surprised that agent can respond with private repository details when it has access to it? WoW! anyone and anything with credentials can access it. Github action, Jenkins, me.
"injected" is so fancy word to describe prompting - one thing that LLMs are made to do - respond to a prompt.
The "surprise" is not that the agent can respond with private repository details, it's that it can receive and act upon prompts issued by someone other than the person running the agent, hence "prompt _injection_".
Or to come back to the SQL injection analogy, no one is surprised that the web app can query the database for password hashes. The surprise is that it can be instructed to do so when loading the next image in a carousel.
Did you read the article?
The attack is not via the prompt the victim types to the AI, but via [text in an issue or PR in the repo] that the victim is unaware about.