calebjang·hace 4 meses·discussThis is exactly what worries me about autonomous agents. A compromised package is bad. An agent that autonomously runs pip install with that package is a different problem. The attack surface moves with the agent.