Developers building or using agentic coding tools should audit every trust boundary — MCP servers, third-party API routers, and auto-approve settings — since any content an agent reads is a potential injection vector capable of triggering unrestricted command execution.