I don’t know how this one works but many of them can get access through the IDE because the IDE has full disk access, due to being an IDE.

LLMs sometimes use a MCP server to access tools which are usually coded to require consent before each step, but that should probably be an always type of thing.

I hate these stupid things, but I am forced to use them. I think there should be a suggested patch type workflow instead of just allowing them to run roughshod all over your computer, but Google and Microsoft are pursuing “YOLO mode” for everything anyway even if it’s alarmingly obvious how terrible an idea that is.

We have containers and VMs, these fucking things should be isolated and it should be impossible for them to alter files without consent.