Comment by zahlman

> a broker that rewrites the curl requests and injects keys so the agent doesn't see them.

This seems like the right way to do it, but you still have to worry about what information the agent wants to send out. Especially if it could get prompt-injected. Email sounds to me like a complete no-go.