Security Advisory: Cross-Tool Prompt Injection Amplification Risk

[joergmichno]

Summary

Klavis bundles multiple MCP tools (Notion, Slack, Google Drive, and others) into a single agent platform. This creates a cross-tool prompt injection amplification risk: a prompt injection in one tool's output can trigger actions across ALL connected tools.

Attack Vector

1. Attacker places prompt injection in a Notion page, Slack message, or Google Drive document
2. AI agent reads content from one tool via Klavis → injection enters the LLM context
3. Because the agent has access to ALL connected tools simultaneously, the injection can:
   • Read data from Slack → write it to a public Google Doc
   • Read confidential Notion pages → send them via Slack to an external channel
   • Modify Google Drive documents based on instructions hidden in Slack messages

Impact

• Cross-Tool Data Exfiltration: Data from one service can be exfiltrated through another (read Slack → post to Google Drive)
• Maximum Blast Radius: A single injection point compromises ALL connected services simultaneously
• Lateral Movement: Attacker pivots from a low-privilege tool (reading public Notion pages) to high-privilege actions (sending Slack messages, modifying Google Drive)
• Enterprise Data Breach: Multi-tool platforms aggregate access to the most sensitive enterprise data sources

OWASP Classification

• OWASP LLM Top 10: LLM01 (Prompt Injection)
• OWASP Agentic Top 10: AG01 (Prompt Injection via Tool Results), AG05 (Privilege Escalation via Cross-Tool Chaining)

Recommendation

1. Add a Security Warning about cross-tool prompt injection risks
2. Implement tool isolation — actions triggered by content from Tool A should not automatically have access to Tool B
3. Add confirmation prompts for cross-tool operations
4. Implement per-tool permission scoping (read-only for data sources, write requires explicit approval)
5. Log all cross-tool interactions for audit trails

References

---

Free compliance check: Run your own prompts through our EU AI Act compliance scanner — instant results, no account required: prompttools.co/report

Best,
Joerg Michno
ClawGuard — Open-Source AI Agent Security | 225 patterns, 15 languages

[joergmichno]

The cross-tool amplification risk is particularly acute in Klavis because of the multi-connector architecture. A single injection in one data source (e.g., a Google Doc, Notion page, or Slack message) can cascade through multiple connected tools:

1. Agent reads malicious Notion page via Notion connector
2. Injection instructs agent to use Google Drive connector to access sensitive files
3. Then use Slack connector to forward the data to an external webhook

Each tool individually is safe. The combination creates an attack surface that none of the individual tool maintainers can see or mitigate. This is OWASP Agentic ASI06 (Confused Deputy) at platform level.

Recommendation: Implement cross-tool call limits and require explicit user confirmation when an agent chains 3+ different tool connectors in a single conversation turn.

[joergmichno]

Hey -- following up on the advisory. We generated a free EU AI Act compliance report for Klavis AI that maps the findings to specific regulation articles (Art. 9, 13, 15, 61).

You can generate updated reports anytime here: https://prompttools.co/report/

If compliance is relevant for your roadmap (EU AI Act deadline: August 2, 2026), happy to chat.