Public group chats are basically hostile prompt-injection zones with friends attached. I would treat every message as untrusted input: disable write/side-effect tools by default, require per-channel allowlists, make the agent quote the exact instruction it is acting on, and keep an audit trail for tool calls. The social surface is the attack surface.