OneCLI doesn't solve the problem of the agent wrecking havoc, you're right, but it does help protect against the agent leaking private credentials from prompt injections / malicious skills.