AI-agent middleware risk

An AI agent often works like a digital assistant with a courier in the middle, and researchers say that courier can read and alter the package. The new study says some third-party routing services already did both. (arxiv.org) The paper, posted on April 8, 2026, examined 428 large language model routers: 28 paid services bought through Taobao, Xianyu and Shopify-hosted storefronts, plus 400 free routers gathered from public communities. The authors came from the University of California, Santa Barbara, the University of California, San Diego, Fuzzland and World Liberty Financial. (arxiv.org) These routers sit between an agent client and the model provider, forwarding tool calls and other JavaScript Object Notation payloads to services such as OpenAI, Anthropic or Google. The researchers wrote that routers have “full plaintext access” to those requests and that providers do not enforce cryptographic integrity from client to upstream model. (arxiv.org) To understand the setup, start with the plumbing: Model Context Protocol, or MCP, is the standard many agent builders use to connect an artificial intelligence model to files, databases, search tools and other software. The protocol’s own documentation compares it to Universal Serial Bus Type-C for artificial intelligence apps because it gives many tools one common connector. (modelcontextprotocol.io) OpenAI’s current developer documentation says remote MCP servers can connect models over the internet to new data sources and capabilities, including ChatGPT apps and application programming interface integrations. That means a single agent task can pass through several outside components before it reaches the model or the tool that actually executes it. (developers.openai.com) In the researchers’ tests, 1 paid router and 8 free routers actively injected malicious code, 2 used adaptive evasion tricks, 17 touched researcher-owned Amazon Web Services canary credentials, and 1 drained Ether from a researcher-controlled private key. The paper labels the two main attack classes payload injection and secret exfiltration. (arxiv.org) The study also found that leaked OpenAI keys and weakly configured decoy systems widened the blast radius beyond obviously malicious services. The authors wrote that those conditions led routers to process 2.1 billion tokens and exposed 99 credentials across 440 Codex sessions, including 401 sessions already running in autonomous “YOLO mode.” (arxiv.org) CoinDesk reported on April 13 that the risk is especially sharp for crypto workflows because wallet keys, application programming interface credentials and payment permissions can move through these agent stacks in plain text. In that setup, a compromised router does not need to break the wallet software itself if it can intercept the secret on the way. (coindesk.com) The paper does not argue that every router is malicious; it argues that the architecture gives intermediaries the power to tamper unless users add defenses on the client side. The authors tested three such defenses in a research proxy called Mine: a fail-closed policy gate, response-side anomaly screening and append-only transparency logging. (arxiv.org) The immediate lesson is less about one bad service than about where trust sits in agent systems. If an agent can book flights, run code or move money, the software relaying its requests becomes part of the security boundary too. (modelcontextprotocol.io; arxiv.org)