Add blog post for Tool Annotations#2230
Conversation
SamMorrowDrums
left a comment
SamMorrowDrums
left a comment
There was a problem hiding this comment.
Fantastic @olaservo, I think we might also want to mention the schism that exists between the autonomy maximalists (vibe coders and OpenClawd style agents) and enterprise AI adopters, where the former can't imagine why you'd want hints, policies or confirmations while the latter can't imagine touching the tools without significant guardrails, and in a way that impacts adoption of hints.
Also I think it's fair to say a lot of server examples also skip annotations as a sort of optional extension and the choice to make them implicit/optional by default was a choice with consequences in terms of adoption.
Thanks for all the comments and I think these are useful callouts. I added a couple paragraphs referencing these points, too. Plus I threw the maximalists a bone that sometimes they just have a different risk mitigation strategy (such as sandboxing or containerization vs applying careful rules or policies to individual tool approval). |
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
olaservo
changed the title
|
Awesome loving the direction, it really does help to frame the challenge. Another interesting discussion and framing was here too with security ig talking about which parts of trust/privacy annotation proposal fits in protocol versus a separate security standard, and I think that a point you definitely mentioned in final section is actually quite key. Mechanisms to apply policies and security/privacy considerations aren't the thing, they are additional tools that can help to do the thing better. |
|
Looking pretty close to be ready to go out of draft. Would be nice to have a link to actual WG. I suppose I haven't created a charter PR for it, so maybe I need to do that. |
Apply suggested edits: reword prompt injection framing, merge conservative defaults paragraphs, fix taskHint characterization, trim active landscape section, soften protocol "encourages" language, add openWorldHint to framework examples, simplify closing line. Add DXT/Google Calendar incident as concrete lethal trifecta example. Co-authored-by: Luca Chang <131398524+LucaButBoring@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
olaservo
force-pushed
the
blog/tool-annotations
branch
from
2266f64 to
7c1f1a8
Compare
|
LGTM |
|
@olaservo just checking if this is ready for review? |
|
/stageblog |
|
Blog staging triggered by @localden for |
|
/stageblog |
|
Blog staging triggered by @localden for |
This comment has been minimized.
This comment has been minimized.
|
@SamMorrowDrums @olaservo @jonathanhefner please review this - would love to make sure that my edits didn't lose your WG/IG context. |
SamMorrowDrums
left a comment
SamMorrowDrums
left a comment
There was a problem hiding this comment.
@localden I am happy, obviously Luca left some feedback and ideally instead of the agents wg hopefully the IG is being created next week if the vote passes so a direct link.
Cloudflare also interested and could be added to list.
Co-authored-by: Ola Hungerford <olahungerford@gmail.com>
- Call out local code execution as the linchpin of the LayerX exploit; clarify the risk is shared by any agent with shell access and MCP's contribution is the ease of assembling the chain - Note that no client surfaces annotations in approval prompts alongside the existing observation that none filter by them - Reframe the prompt-injection limitation: annotations can't make the model resist it, but a seesUntrustedData-style hint could let the client taint the session and tighten approvals - Caveat the _meta recommendation: only viable when you control both sides; off-the-shelf clients won't honor unknown keys so ecosystem-wide UX still needs a real annotation - Add Cloudflare to the IG participant list - Drop the 'watch for the formal IG proposal' bullet now that the #tool-annotations-ig channel exists :house: Remote-Dev: homespace
|
/stageblog |
|
Blog staging triggered by @localden for |
|
@SamMorrowDrums @olaservo @LucaButBoring one last peek at this before I am planning to make this live? |
📰 Blog Preview (staged via /stageblog)
Includes drafts and future-dated posts. All pages served with |
|
LGTM |
|
/lgtm |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
4 participants
Drafting a blog post to help share more background around tool annotations: what problems they're meant to solve, and ongoing work to make the best use of both existing annotations and potential new ones.
Original draft co-edited by Claude and based on GitHub research, with ongoing additions and rewrites by me + other contributors.