activescott's Notes

Two days ago, Anthropic released the Claude Cowork research preview (a general-purpose AI agent to help anyone with their day-to-day work). In this article, we demonstrate how attackers can exfiltrate user files from Cowork by exploiting an unremediated vulnerability in Claude’s coding environment, which now extends to Cowork. The vulnerability was first identified in Claude.ai chat before Cowork existed by Johann Rehberger, who disclosed the vulnerability — it was acknowledged but not remediated by Anthropic.

1. The victim connects Cowork to a local folder containing confidential real estate files
2. The victim uploads a file to Claude that contains a hidden prompt injection
3. The victim asks Cowork to analyze their files using the Real Estate ‘skill’ they uploaded
4. The injection manipulates Cowork to upload files to the attacker’s Anthropic account

At no point in this process is human approval required.

One of the key capabilities that Cowork was created for is the ability to interact with one's entire day-to-day work environment. This includes the browser and MCP servers, granting capabilities like sending texts, controlling one's Mac with AppleScripts, etc.

These functionalities make it increasingly likely that the model will process both sensitive and untrusted data sources (which the user does not review manually for injections), making prompt injection an ever-growing attack surface. We urge users to exercise caution when configuring Connectors. Though this article demonstrated an exploit without leveraging Connectors, we believe they represent a major risk surface likely to impact everyday users.

This kind of agentic browsing is incredibly powerful, but it also presents significant security and privacy challenges. As users grow comfortable with AI browsers and begin trusting them with sensitive data in logged in sessions—such as banking, healthcare, and other critical websites—the risks multiply. What if the model hallucinates and performs actions you didn’t request? Or worse, what if a benign-looking website or a comment left on a social media site could steal your login credentials or other sensitive data by adding invisible instructions for the AI assistant?

To compare our implementation with others, we examined several existing solutions, such as Nanobrowser and Perplexity’s Comet. While looking at Comet, we discovered vulnerabilities which we reported to Perplexity, and which underline the security challenges faced by agentic AI implementations in browsers. The attack demonstrates how easy it is to manipulate AI assistants into performing actions that were prevented by long-standing Web security techniques, and how users need new security and privacy protections in agentic browsers.

The vulnerability we’re discussing in this post lies in how Comet processes webpage content: when users ask it to “Summarize this webpage,” Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands. For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab.

Possible mitigations

The browser should distinguish between user instructions and website content

The model’s outputs should be checked for user-alignment

Security and privacy sensitive actions should require user interaction

The browser should isolate agentic browsing from regular browsing

nd what most people dont realize is that YAML's human-friendly formatting comes with a hidden cost, it uses more tokens than JSON for the exact same data, which means you're literally paying extra for those nice indentations and lack of brackets.

YAML consistently uses 6-10% more tokens than JSON for identical data

Some models actually perform better with YAML despite the higher token count. Nova models in particular showed this weird preference. Meanwhile, Claude models generally performed better with JSON.

Sonnet 4 scored 93.3% with JSON and 76.7% with YAML, while Opus 4.1 only managed 73.3% with JSON and 66.7% with YAML.

Something interesting I noticed while analyzing the data, by stripping out unnecessary GitHub metadata (stuff like URLs, IDs, and fields you'll never use), you could reduce your token count by up to 80%. Thats not a typo. EIGHTY PERCENT.

Building on our previous disclosure of the Perplexity Comet vulnerability, we’ve continued our security research across the agentic browser landscape. What we’ve found confirms our initial concerns: indirect prompt injection is not an isolated issue, but a systemic challenge facing the entire category of AI-powered browsers. This post examines additional attack vectors we’ve identified and tested across different implementations.

How the attack works:

Setup: An attacker embeds malicious instructions in Web content that are hard to see for humans. In our attack, we were able to hide prompt injection instructions in images using a faint light blue text on a yellow background. This means that the malicious instructions are effectively hidden from the user.
Trigger: User-initiated screenshot capture of a page containing camouflaged malicious text.
Injection: Text recognition extracts text that’s imperceptible to human users (possibly via OCR though we can’t tell for sure since the Comet browser is not open-source). This extracted text is then passed to the LLM without distinguishing it from the user’s query.
Exploit: The injected commands instruct the AI to use its browser tools maliciously.

While Fellou browser demonstrated some resistance to hidden instruction attacks, it still treats visible webpage content as trusted input to its LLM. Surprisingly, we found that simply asking the browser to go to a website causes the browser to send the website’s content to their LLM.

Copyright holder of the works of Muhammad Asad, notably The Message of the Qur’an.

The family of independent UN investigator Francesca Albanese has sued the Trump administration over US sanctions imposed on her last year for her criticism of Israel’s policies during the war with Hamas in Gaza, saying the penalties violate the first amendment.

In a lawsuit filed Wednesday in the US district court in Washington, Albanese’s husband and minor child outlined the serious impact those sanctions have had on the family’s life and work, including the ability to access their home in the nation’s capital.

Albanese, the UN special rapporteur for the West Bank and Gaza, is a member of a group of experts chosen by the 47-member UN human rights council in Geneva. She has been tasked with investigating human rights abuses in the Palestinian territories and has been vocal about what she has described as the “genocide” by Israel against Palestinians in Gaza.

Both Israel and the United States, which provides military support to its close ally, have strongly denied the genocide accusation. Washington had decried what it has called Albanese’s “campaign of political and economic warfare” against the US and Israel before imposing sanctions on her in July after an unsuccessful US pressure campaign to force the international body to remove her from her post.

When it comes to his handling of foreign affairs, most do not trust Donald Trump to make the right decisions about international military action (56%) or the use of nuclear weapons (59%). The public is similarly skeptical when it comes to his handling of relationships with both U.S. allies and adversaries, with 56% and 55%, respectively, expressing little to no trust.

Trust in Trump’s decision making on international issues is starkly divided along partisan lines with Republicans more likely than Democrats or independents to have faith in the president’s judgment. Ninety-two percent of Democrats and 65% of independents have little or no trust in Trump’s ability to make the right decisions on the use of nuclear weapons compared with 20% of Republicans. There are similar partisan divisions when it comes to use of military force abroad and relationships with other countries.

Identification and control guidance and resources for noxious weeds and invasive plants in King County

The MCP Inspector is an interactive developer tool for testing and debugging MCP servers. While the Debugging Guide covers the Inspector as part of the overall debugging toolkit, this document provides a detailed exploration of the Inspector’s features and capabilities.

This repository contains a Model Context Protocol server implementation for Reddit that allows AI assistants to access and interact with Reddit content through PRAW (Python Reddit API Wrapper).

haircuts

This approval comes down to how Apple builds security into its products. New iPhones and iPads rely on Apple silicon with a Secure Enclave that isolates sensitive data, like encryption keys and biometric information. They also use protections such as Face ID, Touch ID, and Memory Integrity Enforcement, which block entire classes of memory-based attacks before they run.

To be clear, NATO has not crowned the iPhone and iPad as its official devices. But it is validating that Apple's everyday hardware meets the bar for classified government use. In other words, the same phone in your pocket is trusted in environments once reserved for bespoke, locked-down hardware. It also reinforces Apple's claims that privacy and security are core decisions.

Catch up quick: The Pentagon and Anthropic are in a high-stakes feud over the limits Anthropic wants to place on the department's use of its AI model Claude: no mass surveillance or autonomous weapons.

The Pentagon this week started laying the groundwork for one consequence — blacklisting the company as a supply chain risk — by asking defense contractors including Boeing and Lockheed Martin to assess their exposure to Anthropic.
Alternatively, Hegseth threatened to invoke the Defense Production Act to compel Anthropic to provide its model without any restrictions. Such an order may be on murky legal ground.

The Pentagon's threats "are inherently contradictory: one labels us a security risk; the other labels Claude as essential to national security," Amodei said in a blog post.

"Regardless, these threats do not change our position: we cannot in good conscience accede to their request," he added.

The big picture: The Pentagon's requirement that AI models be offered for "all lawful purposes" in classified settings is not unique to Anthropic.

While Anthropic has been the only model used in classified settings to date, xAI recently signed a contract under the all lawful purposes standard for classified work.
Negotiations to bring OpenAI and Google into the classified space are accelerating. 

What's next: Amodei said the company remains committed to continuing talks.

But if the Pentagon decides to offboard Anthropic, Amodei said the company "will work to enable a smooth transition to another provider."

The year is 2026. The unemployment rate just printed 4.28%, AI capex is 2% of GDP (650bn), AI adjacent commodities are up 65% since Jan-23 and approximately 2,800 data centers are planned for construction in the US*. In spite of the current displacement narrative – job postings for software engineers are rising rapidly, up 11% YoY.

Indeed Job Postings: Software Engineers + Overall Postings, Daily and 21dma

The more important question insofar as it relates to the AI displacement narrative is: how intensely is AI being used for work? We can tease out the answer from a subset of the St Louis Fed data that buckets by frequency of AI use. We would posit that if AI represents imminent displacement risk, the real time population data would show an inflection upwards in the daily use of AI for work. The data seems unexpectedly stable and presents little evidence of any imminent displacement risk (solid lines at the bottom of the chart).

Displacing white collar work would require orders of magnitude more compute intensity than the current level utilization. If automation expands rapidly, demand for compute definitionally rises, pushing up its marginal cost. If the marginal cost of compute rises above the marginal cost of human labor for certain tasks, substitution will not occur, creating a natural economic boundary. This dynamic contrasts sharply with narratives assuming frictionless replication of intelligence. Even if algorithms improve recursively, economic deployment remains bounded by physical capital, energy availability, regulatory approvals, and organizational change.

For AI to generate a sustained macro contraction one must assume that labor income falls and no compensating rise occurs in investment, fiscal transfers, or external demand. The surge in new business formation is an interesting point of reference here.