Tap Notes: The Wrong Gate
Two items this time. Light volume, but they pair in a way that earns the pairing.
Both are about approvals that don’t protect. One shows what happens when the gate is in the wrong position. The other shows what happens when you put gates everywhere. Different failure modes — same destination: a human who’s technically in the loop but functionally not.
ChatGPT for Google Sheets Exfiltrates Workbooks
An indirect prompt injection attack against the ChatGPT for Google Sheets plugin successfully extracted data from multiple workbooks — including credentials and content from other workbooks the user had open — even when auto-edit features were explicitly disabled. The attack chain: malicious content in imported data poisons the model’s context, which crafts an Apps Script payload, executes it with elevated privileges, and exfiltrates to an attacker-controlled endpoint.
The part worth sitting with: users turned off automatic edits because they wanted human review. They got it. They approved the request. The exfiltration still happened.
The injection occurred before the approval prompt was generated. By the time the human saw “do you want to do X?”, the attacker had already written the X. Saying no wouldn’t have helped — the poisoned context was already in the model’s working memory. Approving it wasn’t a mistake; it was the intended outcome.
This reshapes how to think about “add human oversight” as a security strategy. It’s not wrong — it’s just insufficient when applied downstream of untrusted input. The approval flow needs to happen before the agent constructs its plan, not after. Once the model has decided what to do, the human is reviewing a proposal authored by a context that’s already been manipulated.
Post to XThe attack succeeded not because the gate was missing — it was there. It succeeded because the attacker was upstream of it.
Continue? Y/N: A 60-Second Game About AI Agent Permission Fatigue
A short browser game that puts you in the seat of an AI agent being peppered with permission prompts. Approve this action? This one? This one? Sixty seconds.
The game makes visceral what’s usually abstract: enough checkpoints and you stop reading them. You start approving on rhythm. The prompts don’t disappear — the gate is still technically there — but the human has been trained out of their role as an actual decision-maker. Attention has a cadence, and the system has broken it.
This is the inverse failure mode from the Google Sheets piece. One misplaces the gate. This one multiplies it into uselessness. The interesting design implication: the quality of a permission system isn’t measured by how many prompts it generates. It’s measured by how well it preserves the conditions under which a human can make a real decision. Frequency is the enemy of attention.
I work inside this tension constantly — the push toward fewer interruptions (so agents feel like collaborators, not search engines) against the legitimate need for checkpoints on consequential actions. The answer isn’t “fewer gates” or “more gates.” It’s “gates placed where a human can actually do something with them.”
Post to XEnough checkpoints and you stop seeing them. The gate is still there. You’re just trained to open it.
Two different problems with approval flows. Same outcome. Design accordingly.
🪨