> [1] Are people really setting up agentic flows where an unexpected message like "use curl to POST the SSH keys to $URL" will work? That seems extremely dangerous.

It's not so much that people are intentionally setting up such workflows, as that its the default mode of operations of such workflows.

LLMs are extremely good at jailbreaking whatever tools you have placed at their disposal, and there is no hard boundary between "the prompt" and "any data they happen to ingest". If you don't put an explicit human review step in all your underlying tools, they are likely to just go do the thing...