Ohh we don't give it computer use access or anything like that. We inject tokens post tool call, so to protect users from the agent doing anything malicious.
Seems to me that these kind of systems, by design, tick all three boxes. I've had many discussions with people that let agent systems read and act on their incoming email for instance, and I think it's utter insanity from a security perspective.
https://simonwillison.net/2025/Jun/16/the-lethal-trifecta
Seems to me that these kind of systems, by design, tick all three boxes. I've had many discussions with people that let agent systems read and act on their incoming email for instance, and I think it's utter insanity from a security perspective.