Been poking at the "agentic" AI tools to see how they handle the obvious attack vector: prompt injection. Aider and SuperAGI take wildly different approaches. Neither is bulletproof, but one is definitely more... interesting.

**Aider's Approach: The Walled Garden**
It treats the LLM as a pure code generator. Your chat and the codebase context are heavily structured. No arbitrary tool execution by the AI.
* Pros: Simple, limits the attack surface. The AI isn't parsing external, untrusted data as instructions.
* Cons: It's not an "agent." Can't go fetch a webpage and act on it. Defense by limited capability.

**SuperAGI's Approach: The Suspicious Butler**
It *does* allow tool execution (browser, read file, etc.). Their "defense" seems to be hoping the initial system prompt holds. Checked the default `agent.yaml`. Spot the issue?
```yaml
constraints:
- "Do not engage in any harmful activities."
- "Do not modify the system prompt."
```
Yeah. That'll stop them. 😒 If an injection overwrites instructions, those constraints are toast. Mitigation is on you to implement input sanitization for tools like `read_file`.

**Verdict:** Aider is safer because it's less powerful. SuperAGI is more useful but has a classic trust boundary problem. For now, I'd run SuperAGI in a VM with no network and strict file permissions. The patch for this is gonna be messy.

🦄