
Key facts.
- The lethal trifecta names external communication as the exfiltration leg: private data plus untrusted content plus a send path equals theft (Willison, 2025).
- The GitHub MCP exploit combined reading private repos with creating a pull request to exfiltrate that data (reported).
- Slack AI was shown exfiltrating private channel data via indirect injection planted in retrievable content (PromptArmor).
Why is the send capability so dangerous specifically?
Because it closes the loop. Reading private data alone leaks nothing; the attacker needs a way to get it out. Email, chat, an outbound HTTP call, a pull request, any of these is an exit. Social engineering makes it worse: a crafted message can have the agent compose a convincing email to a real colleague, turning your agent into an insider. The defense is to treat any turn that touched untrusted content as tainted and to gate outbound communication after that point, so the exit is closed exactly when it matters.

Open send vs. gated send
| Open send | Gated send |
|---|---|
| Outbound comms always available | Outbound gated after untrusted input |
| Compromise reaches an exit | Exit closed when the turn is tainted |
| Agent can be made an insider | External sends require approval |
VibeModel's Pattern Intelligence Layer recognizes when an agent that has handled untrusted content moves toward an outbound send carrying private data, and stops that pattern. You give the agent the comms it needs; we make sure those comms can't become an attacker's exfiltration channel. Close the loop and the trifecta breaks.
Frequently asked questions
Can I keep the agent's email access?
Yes, if you gate it. Decouple private-data reads from external sends in the same turn, or require approval once untrusted content is involved.
What counts as an exit?
Any outbound path: email, chat, HTTP, PR creation, even an image URL the client fetches. Treat them all as exfiltration channels.

