Comment 2 for bug 318796

you're right, one has to be very careful when doing this.

the spec is vague, it says "trusted clients". in this case, ops can indeed not be trusted, but how about a property like "flyable-IP" that only the hub owner can set?
the hub owner can run bad actions through scripts or even change the hub program, so i guess he is the only one that can be considered trusted here.