slack

The script purposefully harvests Slack session tokens from a local Chrome browser (xoxc from localStorage and xoxd from cookies) and stores them in a plaintext file under the user's home directory. This is credential-extraction behavior and represents a significant privacy/security risk if run on a machine without explicit consent or if the resulting tokens file is not properly protected. The script itself does not exfiltrate data over the network, and there is no obfuscation or active malicious network behavior; however, because it captures high-value credentials and writes them to disk with no protections, its presence in a repository or execution on a system should be treated as sensitive and potentially malicious depending on context. Only run this code in trusted environments and ensure the output file has restrictive permissions or is otherwise protected; delete tokens when not needed.

This script is a powerful Playwright-based automation bridge intended to manage browser sessions and execute page-level scripts. It does not contain obvious obfuscation or hardcoded malicious payloads, but it exposes dangerous functionality: direct execution of untrusted JavaScript in browser context (page.evaluate), persistent storage of authentication state (storageState.json), and the use of CLI-provided session IDs in filesystem paths (possible path traversal or unintended file writes/deletes). If invoked with untrusted inputs or exposed as a service, it can be abused to harvest credentials, perform actions as the logged-in user, exfiltrate data, or delete files. Recommendation: do not expose this CLI to untrusted callers; validate/sanitize session IDs, disallow or strongly restrict page.evaluate of arbitrary code, and limit where files can be written (reject path traversal).