And what do those tools access? How? If I ask the agent to edit a CSV file, what’s the actual workflow? What prevents it from editing a different file due to a prompt injection attack?