My approach is to ask Claude to plan anything beyond a trivial change and I review the plan, then let it run unsupervised to execute the plan. But I guess this does still leave me vulnerable to prompt injection if part of the plan is accessing external content
What guarantees do you have it will actually follow the stated plan instead of doing something else entirely?
Just don’t think about it too much. You’ll be fine.