Hah, yeah that's the exact same vulnerability - looks like Neon's MCP can be setup for read-write access to the database, which is all you need to get all three legs of the lethal trifecta (access to private data, exposure to malicious instructions and the ability to exfiltrate).
We power Tramlines.io, a platform that offers runtime guardrails to secure MCP interactions. Tools like Shortwave AI Email, when combined with MCP, open up rich capabilities—but also new attack surfaces. Tramlines acts as a protective layer to intercept and constrain malicious or unintended MCP tool usage
We wrote a blogpost on the runtime guardrails tramlines.io powers to stop token bleeding that is common with browser automation MCPs like Playwright etc.
These guardrails should allow for smoother usage of Playwright with automation workflows in Claude Code, Cursor etc
Hey everyone,
It’s currently very difficult to block control flow and data flow exploit attacks on agentic AI systems. To demonstrate this, we built a dashboard that models specific tool call sequences to replicate real-world exploit scenarios.
On another note it is ridiculously easy to find attack exploits for any of the popular MCP servers serving traffic. We build a dashboard where you can model exploits yourself - https://hack.mcpwned.com
We wrote a fun tool where we trained an LLM to find end to end control flow, data flow exploits for any open source MCP server - https://hack.mcpwned.com/dashboard/scanner
reply