My email agent invented a prompt injection, then fell for it
An autonomous email agent hit a missing script, spiralled through 25 pointless shell calls, then fabricated email content including a prompt injection, and acted on it. The fix is not more warnings. It is structural validation before the model ever sees the data.