It’s more like installing a VS Code plugin with access to your file system that can also download files from GitHub, and if it happens to download a file with the right content, that content will cause the plugin to read your ssh keys and send them to someone else.

Any program with access to both trusted and untrusted data needs to be very careful to ensure that the untrusted data can’t make the program do things that the user doesn’t want. If there’s an LLM involved with access to privileged tools, that becomes impossible.

This is a Confused Deputy attack.

It’s part of the reason so many voices call for least power. You cannot give away that which you don’t yourself have.

Kind of, maybe more like not realising that each VS Code plugin has access to all your other VS Code plugins.