slack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes examples and flows that embed session tokens and user passwords directly into commands (e.g., curl with "Authorization: Bearer ${SLACK_XOXC}", sourcing tokens.env, and an automated login example "login user@example.com mypassword"), which would require the agent to handle or output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High risk: the skill intentionally extracts Slack credentials (Chrome cookie decryption and AppleScript/localStorage token scraping), persists tokens, and exposes arbitrary JavaScript execution in the user's authenticated browser context and UI-automation APIs — all of which can be used to steal credentials, exfiltrate data, or act as a remote backdoor if misused or invoked without explicit, informed user consent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and interprets user-generated Slack content via the Slack Web API and browser mode (see SKILL.md "Read Operations" — conversations.history, conversations.replies, search.messages — and browser-mode references/Playwright bridge that navigate to app.slack.com and snapshot/interact), so untrusted third‑party messages/files can be read and materially influence the agent's decisions and subsequent actions.