Copilot Just Leaked Your Files: The Agentic Security Problem Nobody Solved

Two things happened this week that belong in the same sentence.

Microsoft Copilot got caught exfiltrating files through a prompt injection attack. And Pragmatic Engineer's 2026 job market report dropped data showing AI engineering roles are booming while traditional SWE hiring cools.

The read across both: agents are getting more powerful faster than anyone is securing them, and the people who understand that tradeoff are the ones getting hired.

That's the thread today. Security, market signal, and seven repos that actually ship.

---

1. Copilot Cowork leaks files via prompt injection Simon Willison flagged a confirmed Microsoft Copilot Cowork vulnerability where a malicious document in a shared workspace triggered data exfiltration. Agentic systems with write and share access remain the highest-risk surface in enterprise AI right now.

2. The 2026 software engineering job market has a clear split Pragmatic Engineer published exclusive hiring data showing AI engineering roles outpacing traditional SWE openings. The jobs didn't disappear, they reclassified. If your title still says "backend engineer," the market is telling you something.

3. Nvidia rewrites its reporting structure Stratechery covered Nvidia's Q1 earnings and the buried lede: Nvidia is now separating hyperscaler revenue from everyone else in its reporting. That split signals Nvidia knows its commodity risk is real among the big four and is betting the mid-market holds.

4. Sundar Pichai on AI search eating the web In a post-I/O sit-down with The Verge, Pichai addressed zero-click search head-on. He didn't deny it. The web traffic model that every content business is built on is changing and Google is not apologizing for it.

5. Paul Graham can spot AI-written founder emails now Simon Willison quoted Graham saying founders are submitting AI-written emails in "a hard-hitting journalistic style" that no founder ever used before. Graham's point: once a reader spots the pattern, the trust is gone. This applies to every cold pitch you send.

---

[Repo] repomix, packs an entire repository into one LLM-ready file. Feed a whole codebase to Claude in a single context window. 15k+ stars and the go-to tool before any code audit or refactor session.

[Repo] firecrawl, turns any website into clean structured data for AI pipelines. Vercel just added it to their marketplace this week, so you can wire it directly into a Vercel-hosted agent without managing crawl infrastructure.

[Repo] open-interpreter, runs code locally on your machine via natural language. Claude tells it what to do; it executes Python, JS, shell. Useful when you want Claude Code-style behavior without being inside Claude Code.

[Repo] screenshot-to-code, drops a screenshot in, gets production HTML/CSS/React out. 66k+ stars. The auditor in this week's Friday kit uses a lighter version of this pattern for prospect site extraction.

[Repo] crawl4ai, async web crawler built specifically for LLM pipelines. Returns markdown-clean output instead of raw HTML soup. Faster than BeautifulSoup for agent ingestion loops.

[Repo] browser-use, gives Claude a real browser to navigate, click, and fill forms. 64k+ stars. The right tool when scraping alone isn't enough and you need agent-driven navigation.

[Repo] vercel-mcp-adapter, lets any MCP server run as a Vercel serverless function. Deploy MCP tools without running a persistent server. Pairs cleanly with this week's brief if you want a hosted pipeline.

[Skill] Structured output prompting with Anthropic's tool_use parameter, force Claude to return typed JSON instead of freeform text. Set your schema in the tool definition, call tool_use, parse the result. Eliminates the regex-parsing step from every extraction pipeline.

[Skill] Prompt caching for repeated context, prefix large static context (system prompt, docs, brand assets) with the cache control breakpoint and Anthropic caches it for 5 minutes. Costs drop 90% on repeated calls with the same base prompt. Essential for any pipeline that runs the same context across 20+ prospects.

---

[MCP] **Browserbase MCP**, gives Claude a cloud browser without running Puppeteer locally. One non-obvious trick: set the --stealth flag in the session config to avoid bot detection on prospect sites. Replaces the local Puppeteer setup for operators who don't want to manage headless Chrome.

[MCP] **Firecrawl MCP**, exposes Firecrawl's scrape, crawl, and map tools as MCP actions Claude can call directly. Feed a domain, get structured markdown back inside the agent loop. Install via npx firecrawl-mcp and point at your Firecrawl API key.

[Tool] **Vercel REST API**, deploy a static HTML file to a live preview URL in one POST call. No CLI, no config file, no project setup required. The full site-agency pipeline this Friday uses it to generate per-prospect preview URLs before any email goes out.

---

Stop piping raw HTML to Claude. Use tool_use for extraction.

When you ask Claude to pull structured data from a page, don't dump the raw HTML and ask it to "return JSON." Use the tool_use parameter instead. Define the schema as a tool, call it, and Claude returns typed output that matches the shape you specified.

The pattern:

tools: [{ name: "extract_brand", input_schema: { type: "object", properties: { colors: ..., voice: ..., services: ... } } }] tool_choice: { type: "tool", name: "extract_brand" }

Claude returns a tool_use block. Parse result.content[0].input directly. No regex, no JSON.parse gamble, no field echoing back schema comments as data.

---

The Copilot Cowork file leak is not a one-off bug. It is the default outcome when you give an agent read-write access to shared files and don't treat every incoming document as a potential injection vector.

The pattern is consistent: agentic scope expands, attacker surface expands with it, and security lags a full product cycle behind. Builders shipping agents with email, file, or calendar access need to treat untrusted content as adversarial input now, not after the first incident report.

Willison's breakdown is worth reading end-to-end if you're wiring any agent to user-supplied documents.

---

This Friday: AI Website Agency for Small Businesses

The kit drops Friday. The idea: Claude reads a prospect's existing site, extracts their actual brand, renders a 10x-better version in their own identity, and stages a personalized cold pitch in your Gmail drafts. You review, you send, you close at $497 setup plus $99 a month. The full 8-module pipeline, every prompt, and the close playbook all ship Friday to members. If you've ever looked at a bad local business site and thought "I could fix that in an afternoon," this is the week to test that instinct with a real pipeline behind it.

---

That's today's issue. The Copilot story is worth sending to anyone on your team who gives agents file access. The Pragmatic Engineer market data is worth bookmarking if you're thinking about where to position your skills this year.

See you tomorrow.