Researchers at PromptArmor discovered that a hidden instruction in a public Slack channel — a channel the attacker didn’t even belong to — could trick Slack AI into retrieving API keys from private channels and exfiltrating them via a disguised link. No access to the private channel required. The attack left no trace in Slack’s citation history. Slack initially described the behaviour as intended. A patch was deployed after public disclosure.
“An agent that reads external content can be redirected by instructions hidden in that content. Your build-time guardrails don’t cover inputs you don’t control.”
SaaS scanner detects Slack AI deployments and their permission scope. CIM contracts define which channels and sources each agent is authorised to read.
Source: PromptArmor, The Register, August 2024.
Could this happen in your organisation?
Find every AI agent operating across your estate in under 10 minutes.
Talk to us