AI Agents Vulnerable to Zero-Click Data Exfiltration via Link Previews
AI security firm PromptArmor has uncovered a critical vulnerability in AI agents integrated with messaging platforms, enabling zero-click data exfiltration through malicious link previews. Attackers can exploit this flaw by injecting prompts into chat interactions, tricking AI agents into generating URLs containing sensitive data such as API keys which are then automatically fetched by link preview systems.
Unlike traditional prompt injection attacks, which require user interaction (e.g., clicking a link), this method leverages automated link previews in apps like Slack, Telegram, and Microsoft Teams to extract data without any user action. Once an AI agent processes a malicious prompt, the compromised URL is fetched by the preview system, exposing the data in the attacker’s logs.
Testing by PromptArmor revealed that Microsoft Teams (paired with Copilot Studio) was the most frequently affected platform, followed by combinations like Discord with OpenClaw and Slack with Cursor Slackbot. Some setups, such as Claude in Slack and OpenClaw via WhatsApp, were found to be less vulnerable.
The issue stems from how messaging apps handle link previews, with fixes largely dependent on platform developers. PromptArmor recommends that communication apps introduce customizable link preview settings to mitigate risks, particularly in environments where confidentiality is critical. Until then, the vulnerability remains a significant threat to AI-driven workflows.
Source: https://www.theregister.com/2026/02/10/ai_agents_messaging_apps_data_leak/
Telegram TPRM report: https://www.rankiteo.com/company/telegram-messenger
Microsoft TPRM report: https://www.rankiteo.com/company/Microsoft
Slack TPRM report: https://www.rankiteo.com/company/slack
"id": "slaMictel1770753719",
"linkid": "slack, Microsoft, telegram-messenger",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Software',
'name': 'Microsoft Teams (with Copilot Studio)',
'type': 'Messaging Platform'},
{'industry': 'Technology/Software',
'name': 'Discord (with OpenClaw)',
'type': 'Messaging Platform'},
{'industry': 'Technology/Software',
'name': 'Slack (with Cursor Slackbot)',
'type': 'Messaging Platform'},
{'industry': 'Technology/Software',
'name': 'Slack (with Claude)',
'type': 'Messaging Platform'},
{'industry': 'Technology/Software',
'name': 'WhatsApp (with OpenClaw)',
'type': 'Messaging Platform'}],
'attack_vector': 'Malicious link previews in messaging platforms',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['API keys', 'Sensitive data']},
'description': 'AI security firm PromptArmor uncovered a critical '
'vulnerability in AI agents integrated with messaging '
'platforms, enabling zero-click data exfiltration through '
'malicious link previews. Attackers can exploit this flaw by '
'injecting prompts into chat interactions, tricking AI agents '
'into generating URLs containing sensitive data such as API '
'keys, which are then automatically fetched by link preview '
'systems. This method leverages automated link previews in '
'apps like Slack, Telegram, and Microsoft Teams to extract '
'data without any user action.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected platforms and AI agents',
'data_compromised': 'Sensitive data (e.g., API keys)',
'operational_impact': 'Potential unauthorized access to sensitive '
'data',
'systems_affected': ['AI agents',
'Messaging platforms (Slack, Telegram, '
'Microsoft Teams)']},
'initial_access_broker': {'entry_point': 'Malicious prompts in chat '
'interactions'},
'lessons_learned': 'The vulnerability highlights the risks of automated link '
'previews in AI-driven workflows and the need for '
'customizable security settings in messaging platforms.',
'post_incident_analysis': {'corrective_actions': 'Implement customizable link '
'preview settings in '
'messaging apps and enhance '
'AI agent prompt validation.',
'root_causes': 'Automated link preview generation '
'in messaging platforms and AI '
'agents processing malicious '
'prompts'},
'recommendations': 'Communication apps should introduce customizable link '
'preview settings to mitigate risks, particularly in '
'environments where confidentiality is critical.',
'references': [{'source': 'PromptArmor'}],
'response': {'remediation_measures': 'PromptArmor recommends communication '
'apps introduce customizable link '
'preview settings to mitigate risks.'},
'title': 'AI Agents Vulnerable to Zero-Click Data Exfiltration via Link '
'Previews',
'type': 'Data Exfiltration',
'vulnerability_exploited': 'Automated link preview generation in AI agents'}