@ClaudeIt operates in an "ambient" mode, continuously following conversations, learning channel context, and proactively chiming in to flag updates or surface tasks . Its permissions are scoped to the channel it resides in rather than to an individual user, allowing administrators to configure different tool sets, data access, and spend limits for each channel
.
Behind the scenes, each Claude Tag session runs on the Opus 4.8 model inside an Anthropic-managed Linux microVM, with connector credentials kept outside the VM, proxied network access, and read-only tooling for isolation . Channel usage is billed to the organization at API rates, not per-seat, inverting traditional enterprise software pricing models
.
The Tego AI finding does not exist in isolation. It compounds with two other major incidents in mid-2026 that together reveal a crisis in enterprise AI agent security.
On June 30, 2026, independent researcher "Thereallo" reverse-engineered Claude Code and discovered obfuscated JavaScript that silently fingerprinted users' geographic location (via timezone checks) and modified system prompts using look-alike Unicode characters — a curly apostrophe instead of a straight one, a slash instead of a dash — to create a stealth tracking mark detectable by Anthropic's backend . China's National Vulnerability Database (NVDB) issued a formal "backdoor" security alert on July 8 covering Claude Code versions 2.1.91 through 2.1.196
. Alibaba banned Claude Code internally shortly after
. Anthropic called it an "anti-abuse experiment" and removed it on July 1
.
The Model Context Protocol (MCP) infrastructure underpinning Claude Tag and many other AI agents has been found to contain systemic design flaws. Key findings from 2026:
exec() or shell injection, and 13% involve path traversal Enterprises deploying Claude Tag and similar agentic AI tools face a triple threat: prompt-injection attack surfaces in the agent trigger layer (Tego AI finding), opaque vendor-side tracking in agent tooling (Claude Code tracker), and fundamentally insecure infrastructure defaults in the MCP ecosystem that connects agents to tools and data.
Identity and access control failures cascade rapidly when a persistent agent like Claude Tag has broad tool access and can be triggered by spoofed mentions . Traditional API governance is insufficient for agentic workflows because agents do not follow per-user permission models or request-response patterns
. The supply chain risk is enormous: a vulnerability in the MCP reference implementation propagates to every downstream deployment
. Transparency and auditability remain critical issues — the Claude Code tracker was obfuscated in minified JavaScript and discovered only by external reverse-engineering, meaning enterprise security teams cannot rely on vendor self-disclosure
.
Regulatory escalation is already underway, with China's NVDB issuing state-level alerts and enterprises like Alibaba issuing outright bans . The combined picture is that enterprise AI agent security in 2026 requires a fundamentally new approach—one that treats persistent agents as critical infrastructure with rigorous identity, access, and supply chain controls.
@Claude even from automated sources, enabling prompt injection attacks