@colby yes, exactly - in this attack the attacker has to suspect that a victim will be feeding their attack into a larger prompt for some reason, which means it’s relatively unlikely to affect most people

It still matters though, especially when the mitigation here (don’t render markdown images to external domains) is an obvious fix

Here are the other places I’ve seen fix the same vulnerability: https://simonwillison.net/tags/markdown-exfiltration/