Sources

Release: datasette-agent 0.3a0 New tool, execute_write_sql , which requests user approval and then writes to a database - taking user permissions into account. #27 I added a mechanism for asking user approval in datasette agent 0.2a0 . The new execute_write_sql tool can now prompt the user for all kinds of useful operations. Here’s an example where I add some pelican sightings to my pelican_sightings table: The new version also enhances the datasette agent chat terminal mode to support approval…

Cloudflare CAPTCHA on at least one ampersand simonwillison.net

TIL: Cloudflare CAPTCHA on at least one ampersand I’m using Cloudflare’s CAPTCHA (they call it a “Web Application Firewall > Custom rules > Managed Challenge” these days) to prevent crawlers from aggresively spidering my faceted search engine on this site, but I got fed up of even simple ?q=term searches triggering the challenge. After some mucking around with Claude Code it turns out you can register the following rule instead, so the CAPTCHA only kicks in for search URLs containing at least o…

References

Simon Willison — lethal-trifecta tag index simonwillison.net

An AI agent with access to private data, exposure to untrusted content, and the ability to communicate externally or change state creates a catastrophic risk profile.

HiddenLayer research — ‘The Lethal Trifecta and how to defend against it’ hiddenlayer.com

When wired to tools that can run queries or write to filesystems, the LLM effectively becomes a code execution primitive rather than just a text generator.

Keysight — DB-query-based prompt injection keysight.com

LLMs lack a parameterized-query equivalent; they cannot strictly separate instructions from data, so an agent granted write access effectively becomes a ‘God User’.

Kiteworks — AI agent security incidents 2026 kiteworks.com

65% of organizations surveyed experienced a cybersecurity incident involving AI agents in the preceding year, with 61% of those involving sensitive data exposure.

nxcode.io — Claude Code vs Cursor 2026 nxcode.io

Claude Code implements YOLO mode through the —dangerously-skip-permissions flag… enterprise adoption in 2026 often mandates ‘dontAsk’ modes for CI pipelines, which restrict agents to a narrow allowlist.

datasette.io — SQL write queries blog post datasette.io

On Datasette 1.0a20 and later, INSERT triggers a check for the insert-row permission on the target table, while UPDATE or DELETE require update-row or delete-row respectively — even in —unsafe mode the underlying actor checks remain active.

Cloudflare blog — Wildcard rules blog.cloudflare.com

The wildcard operator evaluates the entire field value; raw string syntax (r”/wp-*.php”) avoids double-escaping, and two consecutive unescaped asterisks are invalid.

GitHub issue — anthropics/claude-code (Cloudflare WAF blocking MCP calls) github.com

Cloudflare’s managed WAF rules flag MCP tool arguments containing curl invocations or raw HTTP as malicious, producing opaque ‘Error POSTing to endpoint’ failures; base64-encoding the payload is a trivial bypass that inconveniences legitimate users without providing robust security.

Jasmine Directory — robots.txt vs AI blockers jasminedirectory.com

Malicious bots account for ~37% of web traffic and routinely ignore robots.txt; a hybrid of robots.txt for SEO hygiene plus a WAF for volumetric protection is the practitioner consensus, with parameter-count heuristics increasingly viewed as outdated signature-based defenses easily bypassed by AI-driven crawlers.

Sources

References

Jack Sun, writing.