The answer to that question seems obvious: No, it is not safe.

Yet with tens of millions of developers using these tools, there have not been widespread incidents of this sort as far as I know.

So it leaves me with a few choices:

- manually review and approve each command: obviously not realistic, you would just click Approve

- use a sandbox and hope the exploit is not devious enough to escape the sandbox when you run or open the project outside of the sandbox

- use AI without web access and limit other external dependencies

- don't use agentic AI

- use Claude or Codex auto approval classifier and hope for the best

Personally, I'm going with the last option for now.