Comment by catlifeonmars

I’m not so much worried about a malicious agent, more so a confused deputy if that makes sense. The agent itself seems like a juicy RCE vector with a larger surface area than an unpatched binary. And think of all the side channels for delivering your exploits. You don’t need to bake into an executable payload, probably well crafted wording in a README.

Like you say, there’s a larger attack surface area for kernel vs hyper visor. If it’s easy to do, why wouldn’t you take advantage of the extra isolation of a VM?

It’s 2026 and microVMs are a thing. The DevX gap between VMs and containers is shrinking.