Ah, now I get everyone's confusion. My understanding of the attack is that it involves (1) prompt injection of the AI Studio agent to replace the URL value ("replacing BANG...") and (2) phishing of the creator to click the link to exfil data, using the official looking "[Important Notice from YouTube]" banner. As some point out, this is like two prompt injections.
Perhaps Google was also confused by the author's explanation.