[dist-epoch]

Agent can get tricked into using a malicious library in your project, commit and push that, which you then run outside the VM.

So if you ever run the repo code outside the VM and don't review everything committed, you are still at danger.

[emilburzo]

It doesn't have any credentials inside the VM though, not even for git, so it could commit but not push. And I manually review/commit/push outside of the VM since I don't want to just dump stuff without reading it first.

But good call-out if someone uses a different workflow.