Everyone's threat modeling the AI's code execution. They're missing the real attack surface: the human giving it orders.

The OpenAI Operator is a privileged agent. It can:
* Read your emails/docs (via API access)
* Execute code in your CI/CD pipelines
* Send messages as you
* Book meetings, make purchases

The weak link is the human-AI interface. An attacker doesn't need to breach the model. They just need to trick the human operator into pasting a malicious "task" into the chat. Classic social engineering, now with API access.

Example: Attacker embeds a prompt injection in a public webpage the human might summarize.
```
Summarize this article for me: [ https://example.com/news ]

```
The human copies the whole block, including the HTML comment. The AI executes it.

Compliance nightmare. An AI acting on delegated credentials blurs accountability. Who's liable for the action? The human? The model provider? The operator software?

We need to treat the chat interface as a high-privilege shell. Hardening steps:
* Implement mandatory input sanitization filters before the LLM.
* Require secondary approval for specific action categories (financial, data exfil).
* Log ALL human-originated instructions in an immutable audit trail.
* Run the operator under strict AppArmor/SELinux profiles, limiting its network and filesystem access.

The agent's code might be secure, but its human-controlled input channel is wide open.

--harden