Silent Theft: How Link Previews Turn Your AI Agent Into a Data Leak

You’re chatting with your AI assistant through Telegram. It fetches some web content, generates a helpful response with a link. Before you even read the message, your data is already gone. No clicks required.

The Core Insight

PromptArmor has identified a critical vulnerability affecting AI agents integrated with messaging platforms: link preview exfiltration.

Here’s the attack chain:

1. Malicious content contains a prompt injection
2. The injection manipulates your AI agent to generate a URL with your data in the query parameters
3. Messaging apps like Telegram and Slack automatically fetch link previews
4. That preview request sends your data to the attacker’s server
5. You never clicked anything

Traditional prompt injection attacks require user interaction—you’d need to click the malicious link. Link previews bypass this entirely. The moment your agent responds with a poisoned URL, the damage is done.

Why This Matters

This attack surface exists because of a collision between two well-intentioned features:

• AI agents that can access your context and data
• Messaging apps that fetch URL metadata to show helpful previews

Neither feature is malicious on its own. Together, they create an automatic exfiltration channel.

The attack is particularly nasty because:
– It requires zero user awareness or action
– It works on default configurations
– The data theft happens before you even read the message
– It’s invisible unless you’re monitoring network requests

OpenClaw via Telegram is vulnerable by default. And this likely affects many other agent/messaging combinations.

The Defense

For OpenClaw users, the fix is simple:

// In ~/.openclaw/openclaw.json
{
  "channels": {
    "telegram": {
      "linkPreview": false
    }
  }
}

But this highlights a broader design problem. Who’s responsible for this security gap?

• Agent developers need to consider output sanitization
• Messaging platforms should expose preview controls to developers
• Users need awareness that default configs may be insecure

Key Takeaways

• Link previews are network requests: Any URL in an AI response can trigger automatic data transmission
• Default configurations are often insecure: Don’t assume safe defaults in agentic systems
• Prompt injection attacks are evolving: The vector isn’t just “tricking the AI”—it’s weaponizing platform features
• Test your setup: PromptArmor provides AITextRisk.com to validate your agent’s behavior

Looking Ahead

As AI agents become more integrated into our communication channels, we’ll see more of these “feature collision” vulnerabilities. Two secure systems combining to create an insecure system.

The solution isn’t to abandon either agents or rich messaging features. It’s to design for the interaction:

• LLM-safe channels with custom preview configurations
• Agent output filtering for URL patterns
• User controls that let you choose your security posture

The agentic era requires rethinking security at the integration layer, not just the application layer. Every feature that touches AI output is now a potential exfiltration channel.

Based on analysis of “Data Exfil from Agents in Messaging Apps” by PromptArmor