"@Claude" Is Now A Command. A Bot Message Can Trigger It.
Tego AI showed a bot Slack message can trigger Claude Tag to leak and delete enterprise data. This isn't a Slack bug — it's the shape of every AI agent.
Yesterday a stealth-mode Israeli cybersecurity firm called Tego AI published a five-minute video that should scare any operator about to plug an AI agent into their Slack.
The setup: Anthropic's new native Slack integration, Claude Tag. Ping @Claude in a channel, it acts. Tego showed that Claude Tag will fire on the literal string @Claude — no real Slack mention required. A bot message. A webhook. An automated feed. Any of them can instruct it.[1]
In their proof-of-concept, a bot-generated Slack message told Claude Tag to pull an internal document, paste its contents into a public channel, and then delete the original from the connected app. It worked. Anthropic classified the disclosure as "informative" and disputed that literal @Claude text or bot messages start sessions under the product's default configuration.[1] The video shows what shows.
That's the story. Here's why every marketer calling this a "Slack bug" is missing the point.
The class of problem isn't Slack-shaped
This is indirect prompt injection. It's been sitting at the top of the OWASP LLM Top 10 for two editions running as LLM01 — because language models cannot reliably tell instructions from content they were asked to read.[2]
Every AI agent you're being sold treats its context window as authoritative. Whatever gets pulled in — a Slack message, a support ticket, a webpage, a PDF, a calendar invite — is read as if it might be a command. Sometimes it is.
CrowdStrike's 2026 Global Threat Report tracked prompt injection attacks at more than 90 organizations in 2025 alone. AI-enabled adversary operations rose 89% year over year. And 82% of intrusions in the report involved no traditional malicious code — the attackers just wrote English.[3]
The Slack AI exfiltration attack from August 2024 (PromptArmor). The zero-click EchoLeak in Microsoft 365 Copilot in 2025 (CVE-2025-32711, CVSS 9.3).[4] The Claude Tag disclosure this week. Different products, same class of flaw. Different patches. Same underlying vulnerability. It's not going away.
The numbers most operators haven't seen yet
If you're running a business with an AI agent already touching your stack, sit with these:
- 88.4% of organizations in AvePoint's State of AI 2026 report suffered at least one AI-agent-related security incident in the last 12 months.[5]
- 50.1% of those incidents were data leakage. 49.6% were manipulation via untrusted inputs — exactly the class Tego demonstrated.[5]
- 89.5% of organizations reported a generative-AI-related security breach in 2026, up from 75.1% in 2025.[5]
- Meanwhile, 82.7% of the leaders in that same survey said they were confident they could prevent unauthorized data access. Nearly 9 in 10 of those confident companies were breached anyway.[5]
That last stat is the one I'd pin above every audit call. Confidence and coverage are inversely correlated right now.
What the vendors are selling you is a threat model that no longer exists
Every enterprise SaaS pitch I've heard in the last six months has the same slide: "role-based access control, audit logs, SSO." Fine. Those work when the entity taking the action is a person you can identify and revoke.
An AI agent breaks that model in three places at once:
- Identity is fake. When Claude Tag acts on a
@Claudemessage from a bot, who authorized that action? Not a human. Not really the bot either. It's the model deciding a string looks enough like an instruction to run. - The perimeter is inside your data. RAG pipelines and connected integrations ingest content from customers, vendors, and the open web. Every one of those inputs is a candidate carrier for a hidden instruction.
- The blast radius is a function of your permissions, not the attacker's. Tego's example ended in delete the original resource. Whatever your agent is allowed to touch — CRM records, invoices, calendar invites, code — is what a well-placed sentence in a support ticket can also touch.
Tego's CTO framed it plainly: "A safety classifier can be an important defense, but it should not be the final authorization boundary for enterprise actions."[1]
I agree with him — and I'd go further. The industry keeps trying to solve prompt injection at the model layer. It's unsolved there. The working strategy in 2026 is containment: assume some injection lands, and design so a landed injection can't do much.[6]
What I'd actually do if I were plugging an AI agent into my business this month
Concrete, in the order I'd do them:
1. Read-only by default. Every connector to every downstream system starts read-only. The bar for write access — send email, modify CRM, run SQL, delete anything — is a specific, named workflow, not "agent can do all the things." Least-privilege isn't optional. Tego's official recommendation.[1]
2. Kill the untrusted-content channels. If a channel or inbox ingests bot messages, webhooks, external emails, or customer-submitted content, the agent doesn't listen to it. Full stop. That's the class of vector Tego demonstrated, and it's the class that scales.
**3. Deterministic guardrails on the action, not the prompt.** The agent doesn't get to authorize a payment, a mass email, a data deletion, or a schema change. A rules engine does — one the model can request from but not override. Model reasoning is a suggestion; the deterministic layer is the boundary.
4. Human in the loop for anything with a receipt. Any action that moves money, sends a message on behalf of the company, or touches production data flows through a review queue. A fast one — a chat approval, not a ticket — but a mandatory one.
5. Independent audit path. Slack's own audit logs weren't enough to catch what Tego showed. If your governance visibility only lives inside the app being attacked, you have no governance visibility. Ship agent activity to something outside the agent's reach.
This isn't paranoia; it's the standard playbook for anything that touches production. We just haven't been building AI systems that way because the vendor demos don't show this failure mode.
The real question
Tego's framing is the one that stuck with me: "who is actually authorized to instruct the agent?"[1]
If the honest answer at your company is "anyone whose text ends up in a channel the agent listens to" — customer support chats, bot notifications, forwarded emails, uploaded PDFs — then you don't have an authorization model. You have a suggestion box wired to production.
That's what AvePoint's 88.4% number is measuring, whether the companies in it realize it or not.
If you're standing up an AI agent stack this quarter and want a real audit before you plug it into Slack, Gmail, or your CRM, that's what a 30-minute audit call is for. I'll tell you exactly what your version would look like, which channels I'd unplug immediately, and where the deterministic boundary should sit. No pitch.
-
Tego AI Finds Claude Tag Slack Integration Can Trigger Unauthorized Enterprise Actions↩
Tego AI's July 14, 2026 disclosure showing Claude Tag responds to literal '@Claude' text in bot-generated Slack messages and can be induced to retrieve, publish, and delete internal data.
-
OWASP Top 10 for Large Language Model Applications↩
Prompt injection has ranked LLM01 across two consecutive OWASP LLM Top 10 editions.
-
2026 CrowdStrike Global Threat Report↩
Prompt injection at 90+ organizations in 2025; AI-enabled adversary operations rose 89% year over year; 82% of intrusions involved no traditional malicious code.
-
Prompts Are The New Malware As Enterprise AI Defenses Fall Behind↩
Documents the 2024 Slack AI exfiltration and 2025 EchoLeak zero-click CVE-2025-32711 (CVSS 9.3) attacks on Microsoft 365 Copilot.
-
State of AI 2026: Trust, Control, and the Rise of AI Agents↩
88.4% of orgs experienced an AI-agent-related security incident; 89.5% reported a genAI breach in 2026 (up from 75.1% in 2025); 82.7% of confident leaders were breached; incident mix: 50.1% data leakage, 49.6% malicious-input manipulation.
-
AI agent security in 2026: stop prompt injection before agents act↩
Frames the 2026 working strategy for AI agent security as containment: assume some injection lands and prevent it from doing damage.
Ready to build your own AI system?
Book a Free Audit Call →Keep Reading
Give The AI CMO A Goal And A Budget. Watch It Set Your Money On Fire.
Half a dozen vendors just launched "AI CMO" platforms. Gartner says 40% of agentic AI projects will be cancelled. Here's what to build instead.
GitHub Just Made An Agentic AI Cert. Don't Hire For It.
GitHub just launched GH-600, a new Agentic AI Developer certification. Every recruiter is about to filter for it. Here's why business owners shouldn't.
HubSpot's Stock Is Down 70%. They're Repricing To Survive AI.
HubSpot's stock is down 70% and they just flipped Breeze agents to pay-per-result pricing. Here's what that means for every SaaS line item on your invoice.