Give an agent a send button and you have given it an exfiltration channel

Email, chat, pull requests. The moment your agent can talk to the outside world, a successful injection has somewhere to send your data.

B

Balagei G Nagarajan

3 MIN READ


An agent with a send button while private data flows out through it to an attacker
Reading private data alone leaks nothing; the attacker needs a way to get it out.
— from “Give an agent a send button and you have given it an exfiltration channel”

Key facts.

  • The lethal trifecta names external communication as the exfiltration leg: private data plus untrusted content plus a send path equals theft (Willison, 2025).
  • The GitHub MCP exploit combined reading private repos with creating a pull request to exfiltrate that data (reported).
  • Slack AI was shown exfiltrating private channel data via indirect injection planted in retrievable content (PromptArmor).

Why is the send capability so dangerous specifically?

Because it closes the loop. Reading private data alone leaks nothing; the attacker needs a way to get it out. Email, chat, an outbound HTTP call, a pull request, any of these is an exit. Social engineering makes it worse: a crafted message can have the agent compose a convincing email to a real colleague, turning your agent into an insider. The defense is to treat any turn that touched untrusted content as tainted and to gate outbound communication after that point, so the exit is closed exactly when it matters.

Sankey diagram showing private data flowing through a tainted agent toward an external send channel that a gate blocks

Open send vs. gated send

Open sendGated send
Outbound comms always availableOutbound gated after untrusted input
Compromise reaches an exitExit closed when the turn is tainted
Agent can be made an insiderExternal sends require approval

VibeModel's Pattern Intelligence Layer recognizes when an agent that has handled untrusted content moves toward an outbound send carrying private data, and stops that pattern. You give the agent the comms it needs; we make sure those comms can't become an attacker's exfiltration channel. Close the loop and the trifecta breaks.

Frequently asked questions

Can I keep the agent's email access?
Yes, if you gate it. Decouple private-data reads from external sends in the same turn, or require approval once untrusted content is involved.

What counts as an exit?
Any outbound path: email, chat, HTTP, PR creation, even an image URL the client fetches. Treat them all as exfiltration channels.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.