Sandboxing is great, and stricter Authorization policies are great too, but with these kinds of software, my biggest fear (and that's why I am not trying them out now) is prompt injection.

It just seems unsolvable if you want the agent to do anything remotely useful

Ultimately a prompt injection attack is trying to get the agent to do something it wasn't intended to do and if you have the appropriate sandboxing and authorization in place, a compromised agent won't be able to actually execute the exploits