Also agents cannot trust any data whatsoever they add to their context.

This puts reading email for example as a risk.

Probably not impossible to create a worm that convinces a claw to forward it to every email address in that inbox.

And then exfiltrate all the emails.

Then do a bunch of password resets.

Then get root access to your claw.

But not just email. Github issues, wikipedia, HN etc. may be poisoned.

See https://simonw.substack.com/p/the-lethal-trifecta-for-ai-age... but there may be more trifectas than that in a claw driven future.