Local agent security hits critical focus

The rise of local "agentic" workflows has outpaced security standards, leaving users vulnerable to host-level compromise via untrusted context.

• –Standard Docker containers are no longer considered sufficient for tool-using agents due to kernel-sharing; microVMs like Firecracker or gVisor are the new benchmarks.
• –MCP (Model Context Protocol) introduces "confused deputy" risks where an agent might be tricked into misusing its granted tool authorities.
• –Human-in-the-loop (HITL) remains the only reliable final line of defense for destructive actions like file writes or shell execution.
• –Prompt injection via untrusted data (e.g., a README file) is the primary attack vector for hijacking agents with privileged permissions.
• –Secret management is a critical gap; agents should never have direct access to .env files or long-lived session tokens.