This is the same class of problem we see with AI agents and databases. The 'confused deputy' — a legitimate system being weaponized to do something unintended. Rate limiting and intent verification at the proxy layer is the pattern