Nobody is only generating code. Many are letting agents run commands. Agents routinely write scripts and run tools in the background. Agents who have been told they can only do `cat` and `grep` can sometimes do `cat $EVIL_PAYLOAD | bash`. It's entirely possible for a model to have malicious commands designed for agents to execute baked in.