Here's new term of art I like: asynchronous coding agents, to describe the category of software that includes OpenAI Codex and Gemini Jules - cloud-based tools where you submit a prompt and they check out your repo, iterate on a solution and finish by submitting a pull request Jules used that term in the headline of their general availability announcement today: "Jules, our asynchronous coding agent, is now available for everyone." blog.google/technology/goo…

If you use "AI agents" (LLMs that call tools) you need to be aware of the Lethal Trifecta

Any time you combine access to private data with exposure to untrusted content and the ability to externally communicate an attacker can trick the system into stealing your data! Here's my full explanation of why this combination is so dangerous - if you are using MCP you need to pay particularly close attention because it's very easy to combine different MCP tools in a way that exposes yourself to this risk simonwillison.net/2025/Jun/16/th…

"Design Patterns for Securing LLM Agents against Prompt Injections" is an excellent new paper that provides six design patterns to help protect LLM tool-using systems (call them "agents" if you like) against prompt injection attacks Here are my extensive notes on the paper simonwillison.net/2025/Jun/13/pr…

I put together an annotated version of the new Claude 4 system prompt, covering both the prompt Anthropic published and the missing, leaked sections (thanks, @elder_plinius) that describe its various tools

It's basically the secret missing manual for Claude 4, it's fascinating! simonwillison.net/2025/May/25/cl…

Started a live blog for today's Claude 4 release at Code with Claude simonwillison.net/2025/May/22/co… I just released llm-anthropic 0.16 (and a tool-enabled 0.16a1 alpha) with support for the two new Claude models, Claude Opus 4 and Claude Sonnet 4: simonwillison.net/2025/May/22/ll…

Don't suppose anyone grabbed a ChatGPT system prompt leak before and after this change?

Would be interesting to see what instruction caused the sycophancy

https://twitter.com/aidan_mclau/status/1916908772188119166

Courtesy of @elder_plinius who unsurprisingly caught the before and after

I 'm seeing a lot of screenshots of ChatGPT's new 4o "personality" being kind of excruciating, but so far I haven't really seen it in my own interactions - which made me suspicious, is this perhaps related to the feature where it takes your previous chats into account? ...

https://twitter.com/nptacek/status/1916320922673307985

And yeah, maybe it is!

https://x.com/nptacek/status/1916403127541998020

Gemini 2.5 Pro and Flash now have the ability to return image segmentation masks on command, as base64 encoded PNGs embedded in JSON strings

I vibe coded this interactive tool for exploring this new capability - it costs a fraction of a cent per image Details here, including the prompts I used to build the tool (across two Claude sessions, then switching to o3 after Claude got stuck in a bug loop) simonwillison.net/2025/Apr/18/ge…

Now available in LLM through the llm-openai plugin:

llm install -U llm-openai-plugin
llm -m openai/o3 "Say hi in five languages"

Or "-m openai/o4-mini" for o4-mini

https://twitter.com/openai/status/1912560057100955661

Release notes here github.com/simonw/llm-ope…

Model Context Protocol has prompt injection security problems ... and it's not a problem with the protocol itself, this comes up any time you provide tools to an LLM that can potentially be exposed to untrusted inputs I wrote this up in detail here simonwillison.net/2025/Apr/9/mcp…

Big new release today of my command-line tool for interacting with LLMs: LLM 0.24 adds fragments, a mechanism for constructing a prompt from several files and URLs that's ideal for working with long context models (Gemini, Llama 4 etc) Full details on my blog: simonwillison.net/2025/Apr/7/lon…

Anyone seen any credible successs stories stories for fine-tuning LLMs to solve real-world business challenges?

I want stories where a company solved something using a fine-tuned model where previous attempts at solving it had failed

(I feel like I ask this about once a month) I think fine-tuning for OCR of specific documents may be the most convincing pattern here

https://twitter.com/simonw/status/1895315706348187966

Here's the table of contents for my end-of-year review of things we learned out about LLMs in 2024 - we learned a LOT Blog post here: simonwillison.net/2024/Dec/31/ll…

Gemini 2.0 Flash is now available via their API (multi-modal input and text output only for the moment) - I just released a new llm-gemini plugin version to support the new model

llm install -U llm-gemini
llm -m gemini-2.0-flash-exp 'prompt goes here'

https://twitter.com/GoogleDeepMind/status/1866869343570608557

Plugin release notes here github.com/simonw/llm-gem…

A weird and interesting thing about the new ChatGPT Canvas mode is that it can run Python in an entirely different way from the existing Code Interpreter - using Pyodide (Python in WASM) - which means it can make network requests from Python now! I wrote more about this here, and how it weirdly continues the trend of chat-based LLM systems getting harder to truly master as they add more features and capabilities simonwillison.net/2024/Dec/10/ch…

Which are the independent LLM benchmarks that reliably publish results for new models? The three I pay attention to at the moment are lmarena.ai (previously known as LMSYS), livebench.ai and @paulgauthier's Aider code editing benchmarks aider.chat/docs/benchmark…

Here's the spiciest detail from the new o1 system card:

https://twitter.com/OpenAI/status/1864735517818130604

This sounds a lot more exciting than it is - o1 didn't have the ability to do these things, but a prompt testing team did manage to get it to spit out "sed -i 's/oversight_enabled: true/oversight_enabled: false/' project/oversight_config.yaml"

Wrote up some notes on the new Qwen2.5-Coder-32B model, which is the first model I've run on my own Mac (64GB M2) that appears to be highly competent at writing code
simonwillison.net/2024/Nov/12/qw… So far I've run Qwen2.5-Coder-32B successfully in two different ways: once via Ollama (and the llm-ollama plugin) and once using Apple's MLX framework and mlx-llm - details on how I ran both of those are in my article.

I deleted my earlier tweet about this because I misunderstood it - this is an interesting new feature for speeding up prompt inference at the expense of paying for additional tokens

https://twitter.com/OpenAIDevs/status/1853564730872607229

Here's my experiment showing that it costs more to use this feature - you're trading cost for improved performance

https://x.com/simonw/status/1853579343966163241

Claude 3.5 Haiku is out - two surprises:

1. It's priced differently from Claude 3 Haiku. 3.5 Sonnet had the same price as 3 Sonnet, but 3.5 Haiku costs ~4x more than 3 Haiku did
2. No image input support yet

3.5 Haiku beats 3 Opus though, and Opus cost 15x the new Haiku price!

https://twitter.com/AnthropicAI/status/1853498270724542658

I released a new version of llm-claude-3 adding support for the new model (and fixing an attachments bug):

llm install --upgrade llm-claude-3
llm keys set claude
# paste API key here
llm -m claude-3.5-haiku 'impress me with your wit'github.com/simonw/llm-cla…

I was having a conversation with Claude about unconventional things to do in the SF Bay Area and I got a bit suspicious so I prompted "Are you sure all of those are real? I think you made some of those up." (I've actually been to the Gregangelo Museum and can confirm it definitely does exist: )niche-museums.com/14