Comment by alexandriaeden

This is exactly why autonomous agents need risk-classified action zones. Navigation and reading should auto-execute. But actions that affect other systems — opening PRs, posting content, submitting forms — need to be gated. The problem isn’t that agents can do these things, it’s that nothing stops them from doing them without verification. The default should be “safe until explicitly authorized,” not “anything goes unless explicitly blocked.”