Isn't the main vulnerability the cache poisoning in GitHub Actions?
Yes, the agent installed a malicious package in its workflow. But if GitHub Actions had been properly isolated, the attack would not have been possible.
It's basically impossible to protect against malicious injections when consuming unknown inputs. So the safeguard is to prevent agents from doing harm when consuming such inputs. In this case, it seems nothing would have happened if GitHub Actions itself had not been vulnerable.
Yes, the agent installed a malicious package in its workflow. But if GitHub Actions had been properly isolated, the attack would not have been possible.
It's basically impossible to protect against malicious injections when consuming unknown inputs. So the safeguard is to prevent agents from doing harm when consuming such inputs. In this case, it seems nothing would have happened if GitHub Actions itself had not been vulnerable.