A reported exploit chain aimed at Microsoft’s AutoGen Studio shows how a single URL can become a control channel when agentic AI is allowed to browse and act on live web content.