That's exactly right, great way of putting it.
I am personally very happy for our GH MCP Server to be your example. The conversations you are inspiring are extremely important. Given the GH MCP server can trivially be locked down to mitigate the risks of the lethal trifecta I also hope people realise that and don’t think they cannot use it safely.
“Unless you can prove otherwise” is definitely the load bearing phrase above.
I will say The Lethal Trifecta is a very catchy name, but it also directly overlaps with the trifecta of utility and you can’t simply exclude any of the three without negatively impacting utility like all security/privacy trade-offs. Awareness of the risks is incredibly important, but not everyone should/would choose complete caution. An example being working on a private codebase, and wanting GH MCP to search for an issue from a lib you use that has a bug. You risk prompt injection by doing so, but your agent cannot easily complete your tasks otherwise (without manual intervention). It’s not clear to me that all users should choose to make the manual step to avoid the potential risk. I expect the specific user context matters a lot here.
User comfort level must depend on the level of autonomy/oversight of the agentic tool in question as well as personal risk profile etc.
Here are two contrasting uses of GH MCP with wildly different risk profiles:
- GitHub Coding Agent has high autonomy (although good oversight) and it natively uses the GH MCP in read only mode, with an individual repo scoped token and additional mitigations. The risks are too high otherwise, and finding out after the fact is too risky, so it is extremely locked down by default.
In contrast, by if you install the GH MCP into copilot agent mode in VS Code with default settings, you are technically vulnerable to lethal trifecta as you mention but the user can scrutinise effectively in real time, with user in the loop on every write action by default etc.
I know I personally feel comfortable using a less restrictive token in the VS Code context and simply inspecting tool call payloads etc. and maintaining the human in the loop setting.
Users running full yolo mode/fully autonomous contexts should definitely heed your words and lock it down.
As it happens I am also working (at a variety of levels in the agent/MCP stack) on some mitigations for data privacy, token scanning etc. because we clearly all need to do better while at the same time trying to preserve more utility than complete avoidance of the lethal trifecta can achieve.
Anyway, as I said above I found your talks super interesting and insightful and I am still reflecting on what this means for MCP.
Thank you!
I’ve ordered refurbed Paper Pro and Move.
Things that excited me about the device:
- with significant AI use I feel I need this more than ever. Drafting, thinking, note taking, annotating etc. - it looks wonderful for todos, shopping lists etc. - width designed to work with Paper Pro (and the landscape mode experience seems solid from reviews), so I will try the dual device setup - I didn’t always have RM2 with me, and I’m hoping this will now change to genuinely always. - I learned to love the constraints and for example I’ve discovered a love of Brandon Sanderson, Liu Cixin, Cory Doctorow, and countless other authors precisely because I went all in on DRM free ebooks, I want to expand that to graphic novels also hence the paper pro. - I do get random inspiration and obsidian has been my powerhouse for oh the go notes but I’m hoping scrybble.ink will now let me bring remarkable documents into obsidian. - very un-invasive to take notes in conversations etc.
Sure it’s a complete indulgence, but it helps me to enjoy note taking, being my library with me etc. and I find constraints foster my creativity and exploration and I lean into them.