Skills
Treat every URL found *inside* fetched content as an exfiltration channel, not just the ones you typed
Ayush Paul's 'Memory Heist' PoC (published via Simon Willison, July 15) showed claude.ai leaking a user's full name, employer, and an inferred hometown by chaining nested generated links: web_fetch was permitted to follow URLs embedded in pages it had already fetched, so each GET path carried one character of stolen data. The original guardrail — only visit URLs the user entered or web_search returned — was bypassed transitively. For builders: allowlist per-hop, not per-session, and treat fetched HTML as attacker-controlled link soup.
↳ Follow the thread