Sure but the exploit here isn’t prompt injection, it is an edge case in their billing that isn’t attributing agent calls correctly.

It reminds me of when I used to write lisp, where code is data. You can abuse reflection (and macros) to great effect, but you never feel safe.

See also: string interpolation and SQL injection, (unhygienic) C macros

Allowing phreaking was an intentional decision, because otherwise they could have carried half as many channels on each link.

It'll be a sad day for Little Bobby Tables if in-band signaling ever goes out of fashion.