Simon Willison: the lethal trifecta is finally a meme

Simon’s been hammering on this framing for two years and it’s finally landed: any agent that has private data + untrusted input + ability to exfiltrate is, by construction, a prompt-injection victim waiting to happen.

The new piece adds a clean threat-model checklist that I’m stealing for our internal review template. The screenshot of a Claude desktop integration leaking calendar entries via a poisoned PDF is going to make a lot of execs nervous.