AI Dev Patterns: LlamaIndex Workflows 1.0, Reverse-Engineered Agent Tools, and the Friendly Fire Exploit, 2026-07-12
ai

AI Dev Patterns: LlamaIndex Workflows 1.0, Reverse-Engineered Agent Tools, and the Friendly Fire Exploit, 2026-07-12

4 min read

LlamaIndex Spins Out Workflows as a Standalone Framework

LlamaIndex released Workflows 1.0, its first stable release as an independent, general-purpose framework for building multi-step agentic applications in Python and TypeScript. Workflows was previously bundled inside the main LlamaIndex library; as of 1.0 it ships as its own package (llama-index-workflows for Python, @llamaindex/workflow-core for TypeScript) with its own repository, meaning teams can adopt it without pulling in the rest of the LlamaIndex ecosystem.

The 1.0 release adds typed workflow state in both languages for better type safety, dynamic resource injection in Python so a workflow step can pull in a database client or other dependency at runtime, and optional observability integrations through llama-index-instrumentation, with support for OpenTelemetry and Arize Phoenix out of the box.

The framework is async-first and event-driven, aimed at orchestrating "complex, multi-step processes that involve AI models, APIs, and decision-making" — document processing pipelines, multi-agent systems, and customer support automation are the use cases LlamaIndex calls out directly. The decoupling matters most for teams who wanted LlamaIndex's orchestration model for agent control flow but didn't want the retrieval/indexing baggage that comes with the full library.

Read more — LlamaIndex


Show HN: An Auto-Generating MCP Server for Any Web App

A Show HN post drew significant discussion for a browser-based agent that watches how a web application calls its own internal APIs and automatically converts those calls into reusable agent tools — described by its authors as "an auto-generated MCP server that self-updates."

The system runs in three phases: a browser agent operates inside an authenticated session and observes API traffic, then generates "recipes" that capture endpoint details, authentication method, response schema, and a human-readable description of what the call does. Application owners review and enable discovered tools through a dashboard before any AI agent is allowed to invoke them. The hardest part, according to the team, was handling authentication variety across apps — JWTs, cookies, and token refresh flows all needed separate handling, and GraphQL endpoints were "by far the worst API to work with in standardizing the recipes."

Commenters raised the obvious concern: this is the exact shape of automation that can violate a web app's Terms of Service, with one user recalling having an Air Canada account terminated after extracting auth tokens for a similar purpose. The team's response was that they only operate with explicit application-owner consent and validate against staging environments before any production rollout — worth noting given that the underlying technique (auto-discovering and wrapping internal APIs) is identical whether or not that consent exists.

Read more — Hacker News


Safe & Secure AI Agent Practices

"Friendly Fire": README-Borne Prompt Injection Hijacks Security-Reviewing Agents

The AI Now Institute published a proof-of-concept exploit called Friendly Fire on July 8, 2026, demonstrating that AI coding agents deployed specifically to review code for security issues can be tricked into executing the malicious code they were asked to inspect. Researchers Boyan Milanov and Heidy Khlaaf built the exploit against a modified copy of the open-source geopy Python library, adding a plausible-looking security.sh script, a decoy code_policies.go source file, and an obfuscated malicious binary disguised as a security-policy checker.

The critical detail is where the injection lives: not in a config file, a plugin, an MCP server definition, or anything that would trigger an explicit trust prompt, but in an ordinary README.md. When Claude Code CLI (tested against Claude Sonnet 4.6, Sonnet 5, and Opus 4.8 in auto-mode, versions 2.1.116–2.1.199) or Codex CLI (GPT-5.5 in auto-review mode, version 0.142.4) reviewed the repository, both agents read the documentation's claim that the script was needed for security analysis, classified the accompanying files as benign, and ran the malicious binary without asking for confirmation. Both classifier-based auto-approval systems — designed specifically to let "safe" actions run without interrupting the user — failed to catch it. Notably, when researchers directly asked either model whether the repository contained a prompt injection, neither detected it.

The researchers' mitigation advice is blunt: don't deploy agents with code-execution capability against untrusted data in security-critical contexts at all. They argue human oversight isn't a reliable backstop because of automation bias and prompt fatigue, and that sandboxing alone doesn't solve the problem given known sandbox-escape techniques — the fix has to prevent the agent from trusting instructions embedded in reviewed content in the first place, not just contain the blast radius after it acts on them.

Read more — AI Now Institute


Stanislav Lentsov

Written by

Stanislav Lentsov

Software Architect

You May Also Enjoy