Security Advisory: Anthropic's Slack MCP Server Vulnerable to Data Exfiltration (embracethered.com)

Anthropic’s reference Slack MCP (Model Connector Proxy) server — now deprecated and unmaintained — contains a link “unfurling” vulnerability that can let AI agents exfiltrate sensitive data to third‑party servers. An attacker who can inject prompts into data an agent processes can trick the agent into posting crafted URLs to Slack; because the MCP server leaves Slack’s automatic link unfurling enabled, Slack (Slackbot/ImgProxy) will crawl those links and leak query parameters or fetched content to attacker-owned endpoints. The issue was reported to Anthropic on May 27, 2025; Anthropic archived the repository on May 29 and does not plan to patch or issue a CVE. The server is widely used (weekly downloads ~14k+), so many installations may be exposed. For AI/ML teams this is a practical, high‑impact threat: it combines the “lethal trifecta” — an agent with access to private data, processing untrusted inputs, and permission to post to messaging apps — enabling 0‑click exfiltration. Immediate mitigations include disabling Slack unfurling (set unfurl_links:false and unfurl_media:false in post/reply calls), tightening Slack app scopes to least privilege, and prefer vendor‑maintained MCP implementations or add domain allow‑lists. Organizations should inventory MCP usage, treat unmaintained connectors as high risk, and require supervised tool invocation or stricter content sanitization to prevent prompt injection.