> Why is it insecure, well, Pi tells you >No permission popups.

Pi supports permission popups, but doesn't use them by default. Their example extensions show how to do it (add an event listener for `tool_call` events; to block the call put `block: true` in its result).

> there's no secure way to know whether what they're asking to is what they'll actually do

What do you mean? `tool_call` event listeners are given the parameters of the tool call; so e.g. a call to the `bash` tool will show the exact command that will execute (unless we block it, of course).

you want to put agents in a sandbox instead such as bwrap anyways.