CIO Influence
CIO Influence News Machine Learning Security

Tego AI Finds Claude Tag Slack Integration Can Trigger Unauthorized Enterprise Actions

Tego AI Finds Claude Tag Slack Integration Can Trigger Unauthorized Enterprise Actions

Tego AI Finds Claude Tag Slack Integration Can Trigger

Cybersecurity start-up Tego AI reveals that the new Anthropic’s native slack integration, Claude Tag, can be triggered by non-intentional Slack content and drive unauthorized actions across enterprise systems

Tego AI, a cybersecurity company, published new research identifying a potentially critical security weakness in Claude Tag, Anthropic’s native integration between Claude and Slack. Researchers observed Claude Tag responding to messages containing the literal text “@Claude” without requiring a genuine structural Slack mention. As a result, content delivered through bots, webhooks, automated feeds, or other external sources could potentially be interpreted as instructions.

The research demonstrated the potential impact through a connected internal organizational resource. Bot-generated messages instructed Claude Tag to retrieve internal information, publish it into Slack, and subsequently delete the original resource using the organization’s configured connection.

The video below demonstrates the observed behavior and its potential impact on connected organizational systems.

“Our research raises a fundamental question for every organization deploying enterprise AI agents: who is actually authorized to instruct the agent?” said Tal Melamed, CTO and Co-Founder of Tego AI. “Organizations need controls that validate the origin and purpose of sensitive actions before an agent is allowed to execute them.”

Also Read: CIO Influence Interview with Hugo Dozois-Caouette, CTO and Co-founder at MaintainX

The research also identified broader concerns involving untrusted automated content becoming an indirect instruction channel, connected applications and MCP servers expanding the potential impact, administrative access to stored channel information outside Slack’s native membership model, and limited visibility through existing history, compliance, and audit interfaces.

“A safety classifier can be an important defense, but it should not be the final authorization boundary for enterprise actions,” Melamed added. “Sensitive operations require deterministic controls that remain effective even when the model misunderstands a request, trusts the wrong identity, or makes an incorrect decision.”

Tego AI recommends applying least-privilege permissions to Claude Tag connections, preferring read-only access, avoiding channels that ingest untrusted external content, restricting administrative access, retaining relevant Slack logs, and introducing independent runtime authorization for sensitive actions.

Tego AI responsibly disclosed the findings to Anthropic. Anthropic classified the submission as informative and disputed that literal “@Claude” text or bot-generated messages initiate Claude Tag sessions under the product’s default configuration. Tego AI’s full report documents the observed behavior, supporting evidence, security implications, and disclosure timeline.

Catch more CIO Insights: What Does “Job-Ready” Really Mean in IT and Cybersecurity?

[To share your insights with us, please write to psen@itechseries.com ]

Related posts

Lightedge Scales Global DDoS Protection with $1.2Million Corero Network Security Expansion

PR Newswire

Anomalix Appoints Cybersecurity Veteran Fred Bement to Advisory Board

PR Newswire

Defining the Future of AI Security: Akamai Selected as Strategic Security Partner for WWT’s ARMOR Framework

GlobeNewswire