Depends on how the approvals mode is implemented. If any tool call needs to be approved at the harness level there shouldn't be anything the agent can be tricked into doing that would avoid that mechanism.

You still have to worry about attacks that deliberately make themselves hard to spot - like this horizontally scrolling one: https://simonwillison.net/2025/Apr/9/mcp-prompt-injection/#e...