The easiest one is to make sure you don't expose all three legs of the lethal trifecta at the same time – and also that you design things to assume that anyone who gets malicious content into your agent can take full control any of the tools it's allowed to execute

→ View original post on X — @simonw,