Last week Invariant Labs discovered a vulnerability in the Github MCP that lets you exfiltrate data from private repos via a public issue through prompt injection.

At the root of the issue was the lack of implemented granular permissions. Claude Desktop authenticates to Github via a personal access token (PAT) and over permissive PATs are what allowed the prompt injection.

When digging deeper, the challenge you face is that the permissions allowed by the base system (e.g., Github) does not allow you to implement least privilege. An agent that creates and commits PRs must also be given the ability to approve and merge them. This makes you choose between enforcing least privilege and increasing the value an agent can provide.

You may have guessed it, but I believe the solution is to have a decoupled centralized permissions layer on top of what the system natively gives. This way you can ensure an agent can create PRs without ever approving or merging them.

The goal is to not limit the ability of the agent but to provide the right guardrails in which it can operate. You can read the blog to see how we we're able to achieve this!