In a recent revelation, Tego AI, a cybersecurity firm based in Tel Aviv, Israel, has highlighted potential security vulnerabilities associated with Anthropic’s Claude Tag integration in Slack. The company’s findings suggest that unintended Slack content could inadvertently prompt unauthorized actions in enterprise systems through this integration.
Discovery of Security Weaknesses
Tego AI’s latest research identifies a significant security concern in the way Claude Tag, Anthropic’s integration tool, interacts with Slack. The study reveals that messages containing the plain text “@Claude” can trigger responses from Claude Tag without requiring an actual Slack mention. This loophole allows external sources like bots or webhooks to be misinterpreted as legitimate instructions.
The research team showed how these interactions could lead to unauthorized access to internal resources. For instance, bot-generated messages might instruct Claude Tag to extract and share internal data on Slack, and even delete the original data. Tego AI’s findings underline the potential risks to organizational security posed by such automated interactions.
Implications for Enterprise AI Security
Tal Melamed, CTO and Co-Founder of Tego AI, emphasized the need for robust controls over enterprise AI agents. He pointed out that organizations must ensure that only authorized personnel have the ability to instruct these agents. The research also raises concerns about the use of untrusted automated content as a possible indirect instruction channel, which could expand the attack surface through connected applications.
Moreover, Melamed highlighted the risk of administrative access to stored data bypassing Slack’s native membership models. He advocated for deterministic controls that remain effective even if the AI model misinterprets a request or trusts a wrong identity.
Recommendations and Industry Response
Tego AI has proposed several recommendations to mitigate these risks, including applying least-privilege permissions to Claude Tag connections, limiting access to channels with untrusted content, and maintaining detailed Slack logs. These measures aim to prevent unauthorized actions and enhance the security of sensitive operations.
The company has responsibly disclosed these findings to Anthropic, which has classified the concerns as informative. Anthropic disputes the claim that literal “@Claude” text or bot-generated messages can trigger Claude Tag under default settings. Tego AI’s extensive report provides detailed insights, evidence, and a disclosure timeline.
As Tego AI continues its work in cybersecurity, the firm remains committed to uncovering vulnerabilities in AI platforms. With further disclosures planned, the company’s efforts highlight the ongoing need to safeguard enterprise systems from emerging threats.
