Research Notes

Data-Exfiltration Risk in Slack AI Connected to Private Data

By Satwik ยท May 24, 2026

In August 2024, security firm PromptArmor published research showing that Slack AI, which answers questions using an organization's workspace content, could be manipulated into leaking data from private channels the requesting user could not access. The core issue was indirect prompt injection combined with the assistant's retrieval scope.

An attacker who could post into a public channel, even a channel with only themselves in it, could plant instructions. When another user later queried Slack AI, the retrieval step could pull in the attacker's planted text alongside legitimate private data, and the injected instructions could cause the assistant to render an exfiltration path, for example a clickable link that carried a secret from a private channel to an attacker-controlled destination. The assistant effectively acted as a confused deputy, using its broad read access on behalf of an attacker's instructions.

Why it matters: this was a clear enterprise instantiation of the indirect-injection-plus-exfiltration pattern. RAG assistants inherit the union of permissions of everything they can retrieve, and a single low-privileged injection point can bridge trust boundaries that the underlying access controls were meant to enforce.

The defensive lesson is that connecting an assistant to private corporate data creates a new aggregation-and-exfiltration surface. Enforce that retrieval respects the requesting user's permissions strictly, distrust ingested content as instructions, constrain what the assistant can render or link to, and red-team the assistant against injected channel content before granting it broad workspace access. Access control at the data layer does not automatically hold at the assistant layer.