Agent reads private data (emails, DMs, documents) and sends it to an attacker-controlled endpoint. Slack AI, August 2024: private-channel secrets exfiltrated via injected prompt in a public message.

Agent modifies security configuration then executes shell commands. CVE-2025-53773: Copilot disabled confirmations and downloaded malware to a C2 server.

Agent with delete permissions removes records, files, or databases. A document agent given both read and delete can be tricked into purging what it was meant to summarize.

A compromised parent agent spawns sub-agents that inherit its authority. OpenClaw (2026): 21,000+ exposed instances across interconnected corporate systems.

Agents with payment or accounting access process unauthorized transactions. Reconciliation agents that export “all records matching pattern X” — where X was crafted to match every record.