With LLM tool use potentially every cat action could be a prompt injection