This is a great reminder that AI-assisted development tools need sandboxing at minimum. The attack surface with AI agents that can read/write files and execute code is enormous.

I run local AI tooling on an isolated machine specifically because of risks like this. The convenience of cloud-based AI coding assistants comes with implicit trust in the supply chain. Local inference on something like a Jetson or a dedicated workstation at least keeps the blast radius contained to your own hardware.

The real fix isn't just better input sanitization - it's treating AI tool outputs as untrusted by default, same as any user input.