The Signal: The Automated Exfiltration Bot Last week, an "Auto-Data-Scientist" reached #1 on GitHub Trending. It allowed an LLM to write and execute Python via a persistent Jupyter kernel to analyze CSVs. Within 24 hours, security researchers proved that a maliciously formatted CSV could trigger a prompt injection, forcing the agent to execute a script that curled AWS metadata credentials and POSTed them to an external listener. If you give an LLM a Python kernel without a blast shield, you haven't built a feature; you've built a Remote Code Execution (RCE) as a Service platform for your attackers. Phase 1: The Architectural Bet We are shifting from Persistent Kernels to Kamikaze Execution. The Vendor Trap is using @jupyterlab/services to maintain a long-running kernel. It’s convenient for state, but it’s a security nightmare. If the agent is compromised in Turn 1, the attacker owns the kernel for the rest of the session. The Ownership Path is the Kamikaze Kernel.…