Commands executed on signs bypass op checks

In 1.8 commands can be executed on signs by right clicking on a sign with a click event in the text, commands executed in this fashion bypass permission checks. For example:

/setblock ~ ~1 ~ minecraft:wall_sign 0 place {Text1:"{text:\"Click me\",clickEvent:{action:run_command,value:\"op thinkofdeath\"}}"}

will op me when I right click the sign.

This wouldn't really be an issue since /setblock can only be used by OPs but the packet used by clients to set the text on signs (http://wiki.vg/Protocol#Update_Sign_2) allows for raw json text to be sent without any limits (that I can see, could be wrong). This would allow a modded client with a sign to execute any command on the server.

I haven't modded a client to test this so I could be wrong but I thought is worth bringing up anyway.