Agreed, this is exactly what we do.

There's no harm in a string, only in the execution.

I create Tools as Actors, which you preconfigured for the LLM context (in-house agent loop). The tools being preconfigured means you setup their environment before they can be executed. If it calls a bash tool for instance, the Tool Actor gets called and then it runs that command against an attached remote VM.

Or filesystem operations, are just read/writes inside a .zip file, which is overlayed onto the target project at build time.

This article is spot on, and I probably say that because it's self reinforcing.