[sebtron]

> In traditional security, we think in terms of isolated components. In the AI era, context is everything.

In traditional security, everyone knows that attaching a code runner to a source of untrusted input is a terrible idea. AI plays no role in this.

> That’s exactly why we’re building MCP Security at Pynt, to help teams identify dangerous trust-capability combinations, and to mitigate the risks before they lead to silent, chain-based exploits.

This post just an add then?

[stingraycharles]

It’s not a great blog post. He attached a shell MCP server to Claude Desktop and is surprised that output / instructions from one MCP server can cause it to interact with the shell server.

These types of vulnerabilities have been known for a long time, and the only way to deal with them is locking down the MCP server and/or manually approving requests (the default behavior)

[jcelerier]

> These types of vulnerabilities

I don't understand why it's called a vuln. It's, like, the whole point of the system to be able to do this! It's how it's marketed!

[timhh]

Yeah I also don't understand how this is unexpected. You gave Claude the ability to run arbitrary commands. It did that. It might unexpectedly run dangerous commands even if you don't connect it to malicious emails.

[antonvs]

If it allows the system to be exploited in unwanted ways, it's a vulnerability. The fact that companies are marketing a giant security vulnerability as a product doesn't really change that.

[michaelt]

A chainsaw juggler surely does not want to chop their own hand off.

But if they do, it's hardly a defect of the chainsaw.

[skeeter2020]

I get your analogy, but isn't this a defect in the juggling?

[tough]

nobody said chainsaw juggling was a smart career move

[stingraycharles]

It kind of is in the same way that Windows used to be root-only. This was a known issue. / vulnerability because those who understood the risks were generally smart enough to avoid getting exploited. The general population, however, did not understand this and the consequences of this became bigger and bigger.

With AI, there’s a whole class of people who don’t really know what they’re signing up for when installing these types of MCP servers. It may not be a vulnerability, but a solution is necessary.

[loa_in_]

People want to eat the cake and have it too.

[c-linkage]

Ted? Is that you?

[shakna]

Didn't Copilot get hit by this?

[0] https://windowsforum.com/threads/echoleak-cve-2025-32711-cri...

[simonw]

Yup, classic example of the lethal trifecta: https://simonwillison.net/2025/Jun/11/echoleak/

[nelsonfigueroa]

I would say company blogs are basically just ads

[zb3]

But at least they attempt to give us something else.. I wish posts like that were the only form of ads legally allowed.

[Agingcoder]

Most of them are but some of them are good. I like the Cloudflare blog in particular which tends to be very technical, and doesn’t rely on magical infrastructure so you can often enough replicate/explore what they talk about at home.

I’ve also said this before but because it doesn’t look like an ad, and because it’s relatable it’s the only one which actually makes me want to apply !

[wepple]

I’d argue that some company blogs which ultimately are ads, are better than this one.

If I read adobes blog about their new updated thing, I know what I’m in for.

This type of blog post poses as interesting insight, but it’s just clickbait for “… which is why we are building …” which is disingenuous

[klabb3]

Yes, it’s content marketing. But out of all the commercial garbage out there, the signal to noise ratio is quite high on avg imo. I find most articles like this somewhat interesting and sometimes even useful. Plus, they’re also free from paywalls and (often) cookie popups. It’s an ecosystem that can work well, as long as the authors maintain integrity: the topic/issue at hand vs the product they’re selling.

Unfortunately, LLMs (or a bad guy with an LLM, if you wish) will probably decimate this communication vector and reduce the SNR ratio soon. Can’t have nice things for too long, especially in a world where it takes less energy to generate the slop than for humans to smell it.

[whisperghost55]

The issue is that the MCP client will run the MCP server as a result of another server output which should never happen- instead the client should ask "would you like me to do that for you?" the ability/"willingness" of LLMs to construct such attacks by composing the emails and refining it based on results is alarming

[progbits]

Every sensible MCP client does ask by default. They have changed that to auto-allow, likely after going through a pop-up warning about this exact issue, and now proclaim surprise.

[joshmlewis]

There have been a lot of these clickbait articles the past few months about how a company "hacked" MCP of <insert well known company>. They always get upvotes and do well but the take away is what you said at the end of the day.