I switched from packer to lazy after I noticed the maintainer of packer stopped using packer in his neovim config. Also I believe he has now officially marked it as unmaintained and recommends lazy or pckr
“If someone does not have the basic tech literacy to install arch”
I think there is a big jump from the tech literacy to install Arch and the tech literacy to maintain an Arch system over time. These derivatives feel like they are there to help solve the latter.
I don’t think that’s really fair. They are highlighting some pretty serious security flaws in MCP tools that are allowed to do some pretty privileged things.
They don’t even mention their product till the very last section. Overall think it’s an excellent blog post.
> A guardrail can help protect every tool call with a protective layer that blocks malicious or out-of-policy instructions in real time. Here is how to install the GA MCP guard which is open-source and requires no billing.
> $ pip install generalanalysis # install the guard
so if a security researcher comes up with a free open source patch which, presently, is the only available solution then they should just keep that to themselves?
it's an evolving field. if anthropic doesn't have a solution should we just not do anything?
What this "open source patch" does is to set up a proxy server on your machine and route your requests to their server first for moderation.
Do I really need to explain why this is a bad idea? Honestly this post should be flagged by HN as phishing attempt, if anything. (But it won't, as this company is YC-backed...)
> if anthropic doesn't have a solution should we just not do anything?
A solution to what? This article describes a theoretical scenario where a theoretical user misuses a system. If you give LLM tool some permissions, it would do things that are permitted but probably not expected by you. It's a given.
It's like asking Amazon to have a "solution" for users who posts their AWS access tokens online.
The real problem here is the very existence of Stripe MCP. It's a ridiculous idea. I'm all for raising awareness of that, but it's not an excuse to fearmonger readers into adding yet another AI tool onto their tech stack.
They have but it's mostly a labor of love and it's very difficult to fit a static type system into a dynamically typed language.
We already have some false positives. Happily the team is very motivated and is grinding away at them, for which we the community are forever grateful.
I'm pretty sure you could use something like https://code.visualstudio.com/docs/editor/variables-referenc... to allow you to copy and paste your args into a user prompt when you initiate the debugger so you don't have to convert them to json first for each command you want.
This is insecure code that is susceptible to SQL injection. Check out https://phptherightway.com/#databases and read the PDO section. It gives almost your exact code as an example of what not to do. Look at using PDO bound parameters. You never want to concat strings together to create sql. Especially with strings that come from untrusted sources.
I think one of the big tools is Shuffle Sharding. The article talks about standard sharding by itself as not being enough to provide robustness in multitenant queues. But Shuffle Sharding I.E. assigning users to virtual groups of underlying queues and enqueueing to the queue with the smallest size gets you pretty far. It can limit throughput for individual users but implementing some simple work stealing logic on the consumer helps make sure you keep your throughput up.
David mentioned it but SQS `MessageGroupId` can get you really far on fair-ish work from the queue. Its effectively a virtual partition key for the queue. Set your customer id, resource id, etc as the MessageGroupId and use that to do the work allocation.
I guess there must be a largish market for this since AWS introduced Outpost to provide the "cloud" to onprem industries. I feel like this is competing with that market.
Since many of those use cases probably already run extensive on-prem infrastructure this could appeal to them. AWS outpost talks about industries like healthcare, telecom, media and entertainment, manufacturing, or highly regulated spaces like financial services. I've heard of media companies that process through things like IMAX cameras that have just tons of TB's of data sometimes just for 5 minutes worth of footage. That would simply be too cost prohibitive - in bandwidth alone - to try and move around in the cloud and you don't want to have to wait for things like AWS snowball or whatever.
While I think the space is "niche" those niche spaces are not small. Big companies with big budgets.
