You give it access, it grabs your ssh keys and exfiltrate to some third party server. That is not the access the user gave to your platform but it is what it would be capable of doing.
Ohh we don't give it computer use access or anything like that. We inject tokens post tool call, so to protect users from the agent doing anything malicious.
Seems to me that these kind of systems, by design, tick all three boxes. I've had many discussions with people that let agent systems read and act on their incoming email for instance, and I think it's utter insanity from a security perspective.
You give it access, it grabs your ssh keys and exfiltrate to some third party server. That is not the access the user gave to your platform but it is what it would be capable of doing.
Ohh we don't give it computer use access or anything like that. We inject tokens post tool call, so to protect users from the agent doing anything malicious.
I'm thinking about what this post explains more clearly than I can:
https://simonwillison.net/2025/Jun/16/the-lethal-trifecta
Seems to me that these kind of systems, by design, tick all three boxes. I've had many discussions with people that let agent systems read and act on their incoming email for instance, and I think it's utter insanity from a security perspective.