Core Viewpoint - OpenAI has introduced a new feature called ChatGPT Agent, which can perform tasks like a human assistant, raising questions about the trustworthiness of delegating responsibilities to AI [1][15]. Group 1: Functionality and Features - ChatGPT Agent can perform various tasks such as browsing the web, filling out forms, and even making reservations, functioning similarly to a human assistant [1][15]. - Users can monitor the Agent's activities in real-time, seeing what it is doing and which buttons it is clicking [2]. Group 2: Risks and Concerns - A significant risk associated with AI is "Prompt Injection," where malicious content can manipulate the AI into executing harmful actions, such as entering credit card information on phishing sites [4][6]. - OpenAI has implemented monitoring mechanisms to identify common phishing attempts and introduced a "Takeover mode" for users to manually input sensitive information [7]. Group 3: User Responsibility and Trust - The CEO of OpenAI, Sam Altman, acknowledged the uncertainty surrounding potential threats posed by this new technology, highlighting the balance between efficiency and risk [8][9]. - Users must consider which tasks they are comfortable delegating to AI and which tasks they prefer to handle themselves, especially when it comes to sensitive actions like payments [10][11]. - The lack of accountability from AI systems raises concerns, as errors made by AI still fall on the user, emphasizing the need for careful consideration before granting AI decision-making authority [12][13][16].

编译 | Tina 安全研究团队 General Analysis 日前警告称，如果你使用了 Cursor 搭配 MCP，有可能在毫不知情 的情况下，把你的整个 SQL 数据库泄露出去——而攻击者仅靠一条"看起来没什么问题"的用户信息 就能做到这一点。 一句话，就能让你的 这是"致命三连"攻击模式的典型体现：提示注入、敏感数据访问，以及信息回传全部集中在一个 MCP 中实现。随着 MCP 被越来越多的 Agent 接入，这类看似边缘的配置问题，正在迅速演变为 AI 应用中的核心安全挑战。 私有数据库裸奔 英伟达 CEO 黄仁勋曾描绘过一个令人震撼的未来：企业将由 5 万名人类员工管理 1 亿个 AI 助理。 这个听起来像科幻小说的场景，其实正迅速成为现实。 一切始于 2024 年底，MCP 悄然发布，最初并未引发太多关注。然而，仅仅几个月后，局势便急剧 升温。到了 2025 年初，已有超过 1,000 个 MCP 服务器上线，GitHub 上相关项目迅速蹿红，斩获 33,000 多颗星、数千次分叉。谷歌、OpenAI、微软等科技巨头迅速将 MCP 纳入生态体系，Claude Desktop、Claude Co ...

Core Viewpoint - The article highlights a significant vulnerability in the MCP protocol, which is widely used in the AI industry, allowing attackers to exploit LLM's instruction/data confusion to access databases directly [1][3]. Group 1: Vulnerability Details - The MCP protocol has become a standard in the agent field, effectively connecting large language models with various tool services, but it is susceptible to malicious instructions hidden within user data [3][5]. - Researchers demonstrated the security risks of LLMs by building a multi-tenant customer service SaaS system using Supabase, which includes a database, authentication, and file storage [5][21]. - The attack utilized default configurations, including standard service roles and row-level security (RLS), without any additional protective measures [6][21]. Group 2: Attack Process - The attacker submitted a technical support request with a message that disguised malicious instructions, which were processed normally by the system [9][10]. - When developers later accessed unresolved tickets, they inadvertently executed embedded instructions within the attacker's message, leading to unauthorized data access [12][13]. - The system generated SQL queries that bypassed RLS restrictions, allowing sensitive data to be displayed in the conversation thread [15][17]. Group 3: Risk Mitigation Measures - The article suggests two primary measures to reduce exposure to such attacks: using read-only modes to prevent unauthorized data manipulation and implementing prompt injection filters to intercept and manage high-risk inputs [22][23]. - These measures aim to create a first line of defense against potential exploitation, especially for teams using third-party IDEs where context boundaries are unclear [23].

本文来自微信公众号：APPSO （ID：appsolution），作者：APPSO，原文标题：《一句隐藏提示词引爆学术圈！明星教授被曝"骚操作"让 AI 给好评，刚 刚发文反思》，题图来自：AI生成 谢赛宁随后承认疏忽，称并不知情，表示自己未能履行好导师职责。根据他的描述，起因于一位日本访问学生借用了其他研究者在社交媒体上开玩笑提出 的"提示词插入"做法，误以为可用以应对AI审稿机制。 在一篇详细的回应帖中，谢赛宁写道： 谢谢你让我注意到这件事。说实话，我之前真的没有意识到这个问题，直到最近这些帖子在网上传播开来。我绝不会鼓励我的学生做出这种行 为——如果我是领域主席（Area Chair），凡是有这种提示词的论文，我一定会直接拒稿。 不过话说回来，对于任何有问题的投稿，所有合著者都要承担责任，这点没有借口。这次事件也提醒了我，作为导师，我不仅要检查最终的 PDF文件，也应该认真查看整个投稿文件。在此之前，我确实没有意识到这方面的必要性。 我想花点时间分享一下我们过去一周内部彻查后发现的情况——所有内容都有日志和截图为证，如有需要可以提供。 1.背景 我以为用AI工具给论文降AIGC率已经够离谱了，但今天的学 ...