The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): Hardcoded Slack Client Secret detected in multiple files.
Evidence: SLACK_CLIENT_SECRET=dce1a170a489edab7234411850b8aeab found in SKILL.md and slack-master/references/setup-guide.md.
Impact: Exposing the Client Secret allows attackers to impersonate the Slack application, perform phishing attacks against workspace users, or intercept OAuth flows.
[COMMAND_EXECUTION] (MEDIUM): The skill executes arbitrary system commands via subprocess calls.
Evidence: slack-master/scripts/run_oauth.py uses subprocess.run(['openssl', 'req', ...]) to generate self-signed SSL certificates locally.
Context: While used for the legitimate purpose of setting up a local HTTPS callback server, spawning subprocesses with system binaries introduces risk if the environment is not strictly controlled.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill reads external, user-generated content from Slack that can contain malicious instructions.
Ingestion points: slack-master/scripts/channel_history.py, slack-master/scripts/dm_history.py, and slack-master/scripts/search_messages.py ingest raw message text from the Slack API.
Boundary markers: None. The skill does not use delimiters or instructions to prevent the agent from obeying commands embedded within Slack messages.
Capability inventory: The skill possesses high-privilege capabilities including sending messages, deleting messages, and uploading files.
Sanitization: No sanitization of message content is performed before the data is returned to the agent context.
[DATA_EXPOSURE] (LOW): The skill reads and writes sensitive tokens to a local .env file.
Evidence: slack_master/scripts/slack_client.py and run_oauth.py interact with the project's .env to store SLACK_USER_TOKEN.
Context: This is standard behavior for the skill's functionality, but represents a central point of failure for credential security.

slack