Simon Willison’s Weblog

Subscribe

Wednesday, 21st August 2024

The dangers of AI agents unfurling hyperlinks and what to do about it (via) Here’s a prompt injection exfiltration vulnerability I hadn’t thought about before: chat systems such as Slack and Discord implement “unfurling”, where any URLs pasted into the chat are fetched in order to show a title and preview image.

If your chat environment includes a chatbot with access to private data and that’s vulnerable to prompt injection, a successful attack could paste a URL to an attacker’s server into the chat in such a way that the act of unfurling that link leaks private data embedded in that URL.

Johann Rehberger notes that apps posting messages to Slack can opt out of having their links unfurled by passing the "unfurl_links": false, "unfurl_media": false properties to the Slack messages API, which can help protect against this exfiltration vector.

# 12:58 am / security, ai, slack, prompt-injection, generative-ai, llms, markdown-exfiltration, johann-rehberger

#!/usr/bin/env -S uv run (via) This is a really neat pattern. Start your Python script like this:

#!/usr/bin/env -S uv run
# /// script
# requires-python = ">=3.12"
# dependencies = [
#     "flask==3.*",
# ]
# ///
import flask
# ...

And now if you chmod 755 it you can run it on any machine with the uv binary installed like this: ./app.py - and it will automatically create its own isolated environment and run itself with the correct installed dependencies and even the correctly installed Python version.

All of that from putting uv run in the shebang line!

Code from this PR by David Laban.

# 1:29 am / packaging, python, uv

There is an elephant in the room which is that Astral is a VC funded company. What does that mean for the future of these tools? Here is my take on this: for the community having someone pour money into it can create some challenges. For the PSF and the core Python project this is something that should be considered. However having seen the code and what uv is doing, even in the worst possible future this is a very forkable and maintainable thing. I believe that even in case Astral shuts down or were to do something incredibly dodgy licensing wise, the community would be better off than before uv existed.

Armin Ronacher

# 12:08 pm / python, uv, astral, rye, armin-ronacher, open-source