Typical

We're working on solving this problem as well. It could be possible to prove that there was no prompt injection/tampering in the middle up to the source. So Routstr nodes cannot screw with user's systems/steal anything. Also, PPQ.ai, OpenRouter, Anthropic, all of these in the pipeline is probably spying on you and are vulnerable to the exact same attack vector. If it's not running locally, you should assume that it's not 100% secure is being spied on and have your agents run in sandboxes.

Reading messages can hardly be avoided but adding backdoor tool invocations in llm replies is even scarier but probably mitigatable.