Comment by dd82

not quite, from the article

>Cortex, by default, can set a flag to trigger unsandboxed command execution. The prompt injection manipulates the model to set the flag, allowing the malicious command to execute unsandboxed.

>This flag is intended to allow users to manually approve legitimate commands that require network access or access to files outside the sandbox.

>With the human-in-the-loop bypass from step 4, when the agent sets the flag to request execution outside the sandbox, the command immediately runs outside the sandbox, and the user is never prompted for consent.

scope restrictions are in place but are trivial to bypass