←back to thread

Hidden risk in Notion 3.0 AI agents: Web search tool abuse for data exfiltration

(www.codeintegrity.ai)
156 points abirag | 7 comments | 19 Sep 25 21:49 UTC | HN request time: 0.422s | source | bottom
1. furyofantares ◴[20 Sep 25 03:41 UTC] No.45310124[source]
> The "lethal trifecta," as described by Simon Willison, is the combination of LLM agents, tool access, and long-term memory that together enable powerful but easily exploitable attack vectors.

This is a terrible description of the lethal trifecta, it lists 3 things but they are not the trifecta. The trifecta happens to be contained in the things listed in this (and other) examples but it's stated as if the trifecta is listed here, when it is not.

The trifecta is: access to your private data, exposure to untrusted content, and the ability to externally communicate. Web search as tool for an LLM agent is both exposure to untrusted content and the ability to externally communicate.

replies(3): >>45310342 #>>45310512 #>>45310722 #
2. swyx ◴[20 Sep 25 04:23 UTC] No.45310342[source]
yeah TFA gets it wrong. source: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
replies(1): >>45310351 #
3. gnabgib ◴[20 Sep 25 04:25 UTC] No.45310351[source]
This post started there https://news.ycombinator.com/item?id=45307452 .. yes a different link, but this was originally linked to a simonw tweet, and he linked elsewhere.
4. empiko ◴[20 Sep 25 04:55 UTC] No.45310512[source]
In my opinion, the trifecta can be reduced further to a simple statement: an attacker who can input into your LLM can control all its resources.
replies(1): >>45312770 #
5. Kevcmk ◴[20 Sep 25 05:40 UTC] No.45310722[source]
This isn’t the trifecta.

It’s:

* Untrusted input

* Privileged access

* Exfiltration vector

replies(1): >>45312748 #
6. furyofantares ◴[20 Sep 25 12:24 UTC] No.45312748[source]
Those are different words for the same things.

I think the reason for the original wording, which I pasted from the post it was coined in, is to make it more accessible than this, more obvious what you need to look out for.

"Untrusted input" sounds like something I'm not gonna give an agent, "access to untrusted content" sounds like something I need to look out for. "Privileged access" also sounds like something I'm not gonna give it, while "access to my private data" is the whole reason I'm using it.

"Exfiltration vector" may not even be a phrase many understand, "ability to communicate externally" is better although I think this could use more work, it is not obvious to many people that stuff like web search counts here.

7. furyofantares ◴[20 Sep 25 12:27 UTC] No.45312770[source]
It can, but it doesn't really help someone spot the danger.