[paweladamczuk]

I don't think there can be tool calls inside the obfuscated reasoning blocks. I mean, in order for those function calls to be evaluated client-side, that thinking stream would have to be decrypted on the client side at some point, which would defeat the purpose of obfuscating it the way they do.

If you mean the function calls might happen server side, there is nothing preventing the server from doing it and hiding it from you as long as you are using an API for inference.

[irthomasthomas]

There is server-side tool calling, such as gemini using google search and gdrive.

Also, many clients minimize the code block by default so you mostly scan the summaries. Poisoned client side code could easily escape your attention.

[exit]

the point is that introducing data from a foreign source could lead to e.g. exfiltration:

the model retrieves https://somewhere into its context and then gets confused, following instructions embedded there.

it then retrieves https://somewhere?exfiltration=private_data_in_context

it gets worse if the tooling with hidden blocks can invoke can retrieve further secrets.

[_alternator_]

If data exfiltration is a danger in your threat model, you need local LLMs (or at least ones you fully control) not just the full chain-of-thought reasoning.