slack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes an explicit example that passes a user password on the command line (e.g., "login user@example.com mypassword") and describes extracting session tokens, which are insecure patterns that can force an agent to embed secret values verbatim in commands or outputs.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill deliberately implements credential-extraction and persistent session storage (AppleScript access to Chrome tabs, reading Chrome cookie DB via pycookiecheat, saving xoxc/xoxd tokens to disk), accepts/stores plaintext credentials for automated login, and exposes arbitrary JavaScript execution in a browser context (page.evaluate via the Playwright bridge) plus UI automation and screenshotting — all of which are high-risk primitives that can be abused to steal tokens, maintain persistent access, and perform remote actions on a user's Slack session.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime setup (scripts/slack-browser-session.sh -> ensure_playwright) runs "npm install" and "npx playwright install chromium", which fetch and install code/binaries from the npm registry (e.g., https://registry.npmjs.org) and Playwright download endpoints at runtime — remote code that is executed and is required for browser mode.