This is not news. You can never secure an LLM by the nature of it being non-deterministic. So you secure everything else around it, like not giving it shell access.
To be clear, I agree that this set-up is unwise and the social engineering aspect is something that human people are vulnerable to, as well.
However, it makes context in the sense of this post as an advertisement for their business. This is somewhat like the value proposition for sawstop. We might say that nobody should stick their hand into a table saw, but that's not an argument against discussing appropriate safeguards. For the table saw, that might be retracting the blade when not in use. For this weird email setup, that might involve only enabling an llm's mcp access to the shell service for a whitelist of emails, or whatever.
However, it makes context in the sense of this post as an advertisement for their business. This is somewhat like the value proposition for sawstop. We might say that nobody should stick their hand into a table saw, but that's not an argument against discussing appropriate safeguards. For the table saw, that might be retracting the blade when not in use. For this weird email setup, that might involve only enabling an llm's mcp access to the shell service for a whitelist of emails, or whatever.