Dead on about the architecture level distinction. The "entire development environment is the attack surface" model is exactly correct. Copilot, Cursor, and the like consume READMEs, package docs, and issue threads without any form of sanitization. A malicious README in a well used npm package doesn't even need to contain malicious code. The README itself is the malware.
Regarding the three point framework: the separation and sanitization are achievable today. The problem is with the instruction hierarchy enforcement. How do you actually enforce the hierarchy when the model cannot accurately discern between "this is a system instruction" and "this is a paragraph of text that resembles a system instruction, but is actually describing a hotel"? That's the problem that none of the major providers have been able to solve yet.
P.S. Even when the model 'catches' the injection and refuses or freezes, the attacker still wins. In a production pipeline, a refusal is just a semantic Denial of Service. If a malicious README can trigger a safety filter and halt the ingestion of a package, you’ve still successfully broken the development tool’s utility without needing to execute a single line of shell script.
I've seen the freeze or ignore live myself while doing different tasks.
This experiment highlights a deeper issue than just prompt injection—it exposes the lack of a clear trust boundary in LLM-based systems. When external sources like GitHub READMEs are treated as executable instructions rather than untrusted data, the model effectively collapses the distinction between code, content, and control logic. What makes this particularly concerning is that modern AI tools automatically ingest context from repositories, issues, and documentation. That means the attack surface is not the prompt—it’s the entire development environment. We’re already seeing similar patterns in real-world incidents where hidden instructions in GitHub content lead to unintended actions or data exposure. A more robust approach would require: Strict separation between system instructions and external context Context sanitization before ingestion Explicit instruction hierarchy enforcement Without these, improving models alone won’t solve the problem, because this is fundamentally an architecture-level vulnerability, not a capability issue.