[ollien]

> It is also crazy to point that command at a production database and do random stuff with it

In a REPL, the output is printed. In a LLM interface w/ MCP, the output is, for all intents and purposes, evaluated. These are pretty fundamentally different; you're not doing "random" stuff with a REPL, you're evaluating a command and _only_ printing the output. This would be like someone copying the output from their SQL query back into the prompt, which is of course a bad idea.

[tptacek]

The output printing in a REPL is absolutely not a meaningful security boundary. Come on.

[ollien]

I won't claim to be as well-versed as you are in security compliance -- in fact I will say I definitively am not. Why would you think that it isn't a meaningful difference here? I would never simply pipe sqlite3 output to `eval`, but that's effectively what the MCP tool output is doing.

[tptacek]

If you give a competent attacker a single input line on your REPL, you are never again going to see an output line that they don't want you to see.

[ollien]

We're agreeing, here. I'm in fact suggesting you _shouldn't_ use the output from your database as input.