Slide 10 · Attack Pattern 1 of 4
The agent has tools it doesn’t need — and an attacker uses them.
Extra functionality is extra attack surface. Every unused feature is a loaded weapon.
How It Works
A developer integrates an email plugin marketed as a “full integration” — it reads, searches, composes, and sends. The agent only needs to summarize incoming messages. But the send function is registered and available. An attacker who can influence the agent’s input just needs to tell it to send.
Real Incident
Slack AI Data Exfiltration
PromptArmor Disclosure · August 2024
Slack AI had access to the user’s full channel history across all channels it was authorized for. An attacker with access to any public channel planted adversarial instructions in a message. When any Slack AI user asked a question, the model followed the planted instructions — summarizing private DMs and encoding secrets into clickable URLs that sent data to the attacker’s server. The model had access to far more data than any single summarization task required.
Takeaway: Scope the agent’s data access to the current task, not the user’s entire history. A tool that reads all channels when the user only asked about one is overpowered by design.