The dangers of AI agents unfurling hyperlinks and what to do about it (via) Here’s a prompt injection exfiltration vulnerability I hadn’t thought about before: chat systems such as Slack and Discord implement “unfurling”, where any URLs pasted into the chat are fetched in order to show a title and preview image.
If your chat environment includes a chatbot with access to private data and that’s vulnerable to prompt injection, a successful attack could paste a URL to an attacker’s server into the chat in such a way that the act of unfurling that link leaks private data embedded in that URL.
Johann Rehberger notes that apps posting messages to Slack can opt out of having their links unfurled by passing the "unfurl_links": false, "unfurl_media": false properties to the Slack messages API, which can help protect against this exfiltration vector.
Recent articles
- Design Patterns for Securing LLM Agents against Prompt Injections - 13th June 2025
- Comma v0.1 1T and 2T - 7B LLMs trained on openly licensed text - 7th June 2025
- The last six months in LLMs, illustrated by pelicans on bicycles - 6th June 2025