My proposal to Anthropic was to add human-in-the-loop validation by removing ping, nslookup, dig and host from the list of allowlisted commands.

I wonder if that was actually their fix 😂 …because that list of regexps defining which commands to allow prompt injections to run without user confirmation includes some other things which can easily be abused. (For instance, some of those git subcommands take a --output option which instructs git to overwrite arbitrary files.)