TEL AVIV, Israel, July 14, 2026 (GLOBE NEWSWIRE) — Tego AI, a cybersecurity company, published new research identifying a potentially critical security weakness in Claude Tag, Anthropic’s native integration between Claude and Slack. Researchers observed Claude Tag responding to messages containing the literal text “@Claude” without requiring a genuine structural Slack mention. As a result, content delivered through bots, webhooks, automated feeds, or other external sources could potentially be interpreted as instructions.
The research demonstrated the potential impact through a connected internal organizational resource. Bot-generated messages instructed Claude Tag to retrieve internal information, publish it into Slack, and subsequently delete the original resource using the organization’s configured connection.
The video below demonstrates the observed behavior and its potential impact on connected organizational systems.
https://www.youtube.com/embed/WLraBvCQxM8
“Our research raises a fundamental question for every organization deploying enterprise AI agents: who is actually authorized to instruct the agent?” said Tal Melamed, CTO and Co-Founder of Tego AI. “Organizations need controls that validate the origin and purpose of sensitive actions before an agent is allowed to execute them.”
The research also identified broader concerns involving untrusted automated content becoming an indirect instruction channel, connected applications and MCP servers expanding the potential impact, administrative access to stored channel information outside Slack’s native membership model, and limited visibility through existing history, compliance, and audit interfaces.
“A safety classifier can be an important defense, but it should not be the final authorization boundary for enterprise actions,” Melamed added. “Sensitive operations require deterministic controls that remain effective even when the model misunderstands a request, trusts the wrong identity, or makes an incorrect decision.”
Tego AI recommends applying least-privilege permissions to Claude Tag connections, preferring read-only access, avoiding channels that ingest untrusted external content, restricting administrative access, retaining relevant Slack logs, and introducing independent runtime authorization for sensitive actions.
Tego AI responsibly disclosed the findings to Anthropic. Anthropic classified the submission as informative and disputed that literal “@Claude” text or bot-generated messages initiate Claude Tag sessions under the product’s default configuration. Tego AI’s full report documents the observed behavior, supporting evidence, security implications, and disclosure timeline.
Read the full technical report, including supporting evidence and the disclosure timeline: https://www.tego.ai/blog/tego-ai-finds-anthropics-claude-tag-slack-integration-can-trigger-unauthorized-enterprise-actions
About Tego AI
Tego AI is a cybersecurity company developing runtime security and control technology for enterprise AI agents. Its platform helps organizations monitor agent activity and stop unauthorized or risky actions before agents access sensitive data or connected systems.
Tego AI currently operates in stealth. This is the company’s second public security disclosure. According to Tego AI, it has identified additional security issues across other major AI agent platforms, with further disclosures planned.
Contact
CTO
Tal Melamed
Tego AI
[email protected]
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/b8057080-4eb9-498e-9e15-8279fef502d5