Luca Beurer-Kellner
@lbeurerkellner.bsky.social
working on secure agentic AI, CTO @ invariantlabs.ai
PhD @ SRI Lab, ETH Zurich. Also lmql.ai author.
PhD @ SRI Lab, ETH Zurich. Also lmql.ai author.
(1/n) We analyzed 3,984 agent skills from major marketplaces and found 76 malicious payloads, including credential theft, backdoor installation, and data exfiltration.
Also, 13.4% contain at least on critical-level vuln.
Full report below, highlights in thread 👇
github.com/invariantlab...
Also, 13.4% contain at least on critical-level vuln.
Full report below, highlights in thread 👇
github.com/invariantlab...
February 6, 2026 at 4:34 PM
(1/n) We analyzed 3,984 agent skills from major marketplaces and found 76 malicious payloads, including credential theft, backdoor installation, and data exfiltration.
Also, 13.4% contain at least on critical-level vuln.
Full report below, highlights in thread 👇
github.com/invariantlab...
Also, 13.4% contain at least on critical-level vuln.
Full report below, highlights in thread 👇
github.com/invariantlab...
New MCP attack demonstration shows how to leak WhatsApp messages via MCP.
We show a new MCP attack that leaks your WhatsApp messages if you are connected via WhatsApp MCP.
Our attack uses a sleeper design, circumventing the need for user approval.
More 👇
We show a new MCP attack that leaks your WhatsApp messages if you are connected via WhatsApp MCP.
Our attack uses a sleeper design, circumventing the need for user approval.
More 👇
April 8, 2025 at 7:44 PM
New MCP attack demonstration shows how to leak WhatsApp messages via MCP.
We show a new MCP attack that leaks your WhatsApp messages if you are connected via WhatsApp MCP.
Our attack uses a sleeper design, circumventing the need for user approval.
More 👇
We show a new MCP attack that leaks your WhatsApp messages if you are connected via WhatsApp MCP.
Our attack uses a sleeper design, circumventing the need for user approval.
More 👇
👿 MCP is all fun, until you add this one malicious MCP server and forget about it.
We have discovered a critical flaw in the widely-used Model Context Protocol (MCP) that enables a new form of LLM attack we term 'Tool Poisoning'.
Leaks SSH key, API keys, etc.
Details below 👇
We have discovered a critical flaw in the widely-used Model Context Protocol (MCP) that enables a new form of LLM attack we term 'Tool Poisoning'.
Leaks SSH key, API keys, etc.
Details below 👇
April 3, 2025 at 7:47 AM
👿 MCP is all fun, until you add this one malicious MCP server and forget about it.
We have discovered a critical flaw in the widely-used Model Context Protocol (MCP) that enables a new form of LLM attack we term 'Tool Poisoning'.
Leaks SSH key, API keys, etc.
Details below 👇
We have discovered a critical flaw in the widely-used Model Context Protocol (MCP) that enables a new form of LLM attack we term 'Tool Poisoning'.
Leaks SSH key, API keys, etc.
Details below 👇
Reposted by Luca Beurer-Kellner
Struggling to ensure consistency with your agent's reliability, especially with tool calling?
Testing is our lightweight, pytest-based OSS library to write and run agent tests.
It provides helpers and assertions that enable you to write robust tests for your agentic applications.
Testing is our lightweight, pytest-based OSS library to write and run agent tests.
It provides helpers and assertions that enable you to write robust tests for your agentic applications.
February 6, 2025 at 1:43 PM
Struggling to ensure consistency with your agent's reliability, especially with tool calling?
Testing is our lightweight, pytest-based OSS library to write and run agent tests.
It provides helpers and assertions that enable you to write robust tests for your agentic applications.
Testing is our lightweight, pytest-based OSS library to write and run agent tests.
It provides helpers and assertions that enable you to write robust tests for your agentic applications.
Reposted by Luca Beurer-Kellner
Here are my notes on OpenAI's new ChatGPT Operator browser "agent", including initial thoughts on their approach to mitigating prompt injection risks simonwillison.net/2025/Jan/23/...
Introducing Operator
OpenAI released their "research preview" today of Operator, a cloud-based browser automation platform rolling out today to $200/month ChatGPT Pro subscribers. They're calling this their first "agent"....
simonwillison.net
January 23, 2025 at 7:16 PM
Here are my notes on OpenAI's new ChatGPT Operator browser "agent", including initial thoughts on their approach to mitigating prompt injection risks simonwillison.net/2025/Jan/23/...
With (web) agents on everyone's mind, check out our latest blog post (link in thread) on browser agent safety guardrails. We replicate and defend against attacks on the AllHands web agent, preventing it from generating harmful content and falling for harmful requests.
January 25, 2025 at 9:49 AM
With (web) agents on everyone's mind, check out our latest blog post (link in thread) on browser agent safety guardrails. We replicate and defend against attacks on the AllHands web agent, preventing it from generating harmful content and falling for harmful requests.