Thanks. I don't really see how that's worse than today, where a bad actor can do exactly the same thing in a forum post. Typically the post shows the text you enter, but can go to any URL.
In terms of the user going to a site instead of a zip file: If a user is willing to unpack and run a random file he downloaded and give it credentials to something... what's the difference? Not being argumentative, but this seems like a stretch.
The difference is that many forums or chat programs will automatically linkify valid hostnames/URLs.
Now "foo.zip" is a valid URL.
You could have a forum or chat program that you think is quite safe, since it doesn't allow file uploads, and doesn't allow arbitrary link text, and this would upend that.
In terms of the user going to a site instead of a zip file: If a user is willing to unpack and run a random file he downloaded and give it credentials to something... what's the difference? Not being argumentative, but this seems like a stretch.