The prompt injection via telemetry point is sharp. Same class of problem shows up whenever an agent reads structured data from an untrusted source — contract ABIs, API responses, even config files.
Observability is a good forcing function for thinking about this!(at least tracepoint data has a known schema. Unstructured sources are worse)
Most of MCP servers and Apps are way under-designed today. A lot of MCP B2B servers still wrap legacy APIs, and most MCP Apps try to reproduce a website experience instead of trying to reinvent the experience from scratch.
It feels like we're in the early mobile years where companies have not figured out what to do with this new technology. I hope the Uber and Candy Crushes of the AI era will land in 2026! (well maybe not candy crush, but some IA native games would be nice)
Every week these model providers are coming out with new toys. I don't fault orgs for minimally investing in MCP when the space is moving so fast and there's no telling whether or not MCP is here to stay.
Isn't the MCP endpoint that allows AI agents to run custom SQL queries, essentially letting your monitoring database be manipulated by a potentially malicious AI agent? Like, if the AI agent has full reign over the DB and it can't find a solution to, let's say, a perf bug, it may just rewrite that data and say it has "solved" the bug. And this is literally the least concerning example I could come up with.
why can't this be a cli tool? then you can get an agent to write a script that programmatically calls the cli tool in addition to the agent calling it directly.
14 comments
Observability is a good forcing function for thinking about this!(at least tracepoint data has a known schema. Unstructured sources are worse)
It feels like we're in the early mobile years where companies have not figured out what to do with this new technology. I hope the Uber and Candy Crushes of the AI era will land in 2026! (well maybe not candy crush, but some IA native games would be nice)