AI coding agents are vulnerable to prompt injection because they read and act on untrusted text from repos, docs, issues, search results, RAG stores,...