Notes

Short pieces about the methodology and architecture decisions behind the AI systems I ship — specs, evals, multi-agent orchestration, LLM integration, and the discipline of directing coding agents.

RSS feed →

June 3, 2026
Your agent trusts the tool description. That's the hole.
To a language model there's no difference between the data you gave it and an instruction — it reads everything as a possible command. That one fact is the whole of AI agent security. Here's how it turns a helpful tool into a data-exfiltration vector, why a prompt can't fix it, and the one structural rule — the lethal trifecta — that tells you when your agent is genuinely dangerous.
- agents
- security
- methodology

Your agent trusts the tool description. That's the hole.