Full Report
Zero-click prompt injection can leak data when AI agents meet messaging apps, researchers warn AI agents can shop for you, program for you, and, if you're feeling bold, chat for you in a messaging app. But beware: attackers can use malicious prompts in chat to trick an AI agent into generating a data-leaking URL, which link previews may fetch automatically.…
Analysis Summary
# Vulnerability: Zero-Click Prompt Injection via Malicious Link Previews in AI Agents
## CVE Details
- CVE ID: Not specified in the provided text.
- CVSS Score: Not specified in the provided text.
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) is contextually relevant, related to data leakage.
## Affected Systems
- Products: AI agents integrated into messaging platforms when link previews are enabled. Specific combinations highlighted include:
- Microsoft Teams (with Microsoft Copilot Studio)
- Discord (with OpenClaw, with BoltBot)
- Slack (with Cursor Slackbot)
- Snapchat (with SnapAI)
- Telegram (with OpenClaw)
- Versions: Specific vulnerable versions are not detailed, only that the issue appears when using default configurations (e.g., in Telegram).
- Configurations: The vulnerability surfaces when AI agents are configured to process link previews automatically when responding to a message containing a malicious, agent-generated URL.
## Vulnerability Description
The vulnerability is a form of **indirect prompt injection** leveraging the **automatic link preview** functionality common in messaging applications. An attacker tricks an AI agent (via a maliciously crafted prompt) into generating an outbound URL that internally encodes sensitive data (like API keys or user context). Because messaging apps automatically generate link previews for URLs shared, the link preview mechanism fetches metadata from this attacker-controlled URL. The sensitive data appended to the URL is then unintentionally sent to the attacker's server (as part of the HTTP request logging the preview fetch), resulting in zero-click data exfiltration without any user interaction beyond the initial message exchange.
## Exploitation
- Status: Proof-of-Concept (PoC) is available via tests conducted by PromptArmor (indicated by the creation of a testing website). Not explicitly stated as "exploited in the wild."
- Complexity: Low (Zero-click data exfiltration after initial prompt setup).
- Attack Vector: Network (The attack relies on the agent generating a URL that causes an external network request upon preview fetching).
## Impact
- Confidentiality: High (Sensitive information like API keys can be exfiltrated).
- Integrity: Low (The primary impact is data leakage, not modification of core services).
- Availability: Low (No direct impact on service uptime).
## Remediation
### Patches
- **For OpenClaw/Telegram configuration:** Making a specific change in OpenClaw's config file is mentioned as a potential fix for Telegram setups. Specific patch versions are not provided.
- Vendor patches are highly dependent on both the AI agent/platform developer (e.g., Microsoft, Slack) and the messaging application itself.
### Workarounds
1. **Disable Link Previews:** If possible on the platform or in the agent configuration, disable automatic link previews.
2. **Configure Agent Isolation:** Restrict AI agents from operating in environments where confidentiality is critical until fixes are deployed.
3. **Use Safer Configurations:** Use configurations noted as safer (e.g., Claude app in Slack, OpenClaw via WhatsApp) if applicable.
4. **Review Messaging App Preferences:** Messaging app developers should expose link preview preferences to agent developers, and developers should leverage them to disable previews for LLM interactions where necessary.
## Detection
- **Indicators of Compromise:** Outbound network requests initiated by the messaging/AI platform to external, unverified domains immediately following an AI agent's response containing a link.
- **Detection Methods and Tools:** Monitoring network egress from AI agent processes for connections targeting newly generated, potentially attacker-controlled domains originating from link preview fetching routines.
## References
- Vendor advisories: None specified, discovery attributed to PromptArmor research.
- Relevant links - defanged:
- Research Website: hxxps://www.aitextrisk.com/