Prompt injection?

Or is this simply another example of why autonomous agents shouldn't get write access before earning trust?