[benreesman]

I was being a bit casual when I used the root analogy. If you run an agent with privileges, you have to assume damage at those privileges. Agents are stochastic, they are suggestible, they are heavily marketed by people who do not suffer any consequences when they are involved in bad outcomes. This is just about the definition of hostile code.

Don't run any agent anywhere at any privilege where that privilege misused would cause damage you're unwilling to pay for. We know how to do this, we do it with children and strangers all the time: your privileges are set such that you could do anything and it'll be ok.

edit: In your analogy, giving it `browser_crawl` was the CVE: `browser_crawl` is a different way of saying "arbitrary export of all data", that's an insanely high privilege.