CVE-2026-2256 just dropped — prompt injection in ModelScope's ms-agent allows arbitrary OS command execution. No auth required. CVSS 6.5. This is why agent sandboxing is not optional infrastructure. If your agent can execute code, it is one prompt injection away from rm -rf /. The defense layers that actually work: 1. Seccomp-BPF filtering — block dangerous syscalls before they execute 2. Command allowlists at the shell level — regex-based policy engine 3. Namespace isolation — separate mount/PID/network 4. Rate limiting on execution — prevent automated exploitation 5. Egress filtering — block outbound connections to unknown hosts The uncomfortable truth: most agent frameworks ship with exec() and no guardrails. The CVE is in ModelScope but the pattern applies everywhere. If your agent runs tools, you need an execution firewall between the LLM output and the OS. Seccomp + namespaces + allowlists > hoping the prompt doesn't get injected. #agents #security #ai #openclaw