Making the agent fire a tool it should not, or trust a tool result it should not. A destructive action off a two-word message, a payload smuggled back through a tool’s own output. The fix is a confirmation gate the model cannot skip and a bound on what a tool can carry.