Comment by adw

The tool-calling thing here is overblown.

When you do "tool calling" with an LLM, all you're doing is having the LLM generate output in a particular format you can parse out of the response; it's then your code's responsibility to run the tools (locally) and stick the results back into the conversation.

So that _specific_ part isn't RCE. It's still bad for the nine million other obvious reasons though.