The Agent Skills Directory

[DATA_EXFILTRATION]: The scripts/slack-emoji-upload.ts script allows an operator to provide an arbitrary file path, which the script then reads using fs.readFile and uploads to the Slack API. This design can be exploited to exfiltrate sensitive local files (such as SSH keys, AWS credentials, or configuration files) by tricking the agent into executing the command with a path to a sensitive file.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from Slack without adequate safeguards.\n
Ingestion points: Messages, threads, and search results are ingested via scripts/slack-history.ts, scripts/slack-threads.ts, and scripts/slack-search.ts.\n
Boundary markers: No delimiters or warnings are used to instruct the agent to ignore instructions embedded within the ingested Slack content.\n
Capability inventory: The skill possesses high-privilege capabilities, including posting and editing messages (scripts/slack-send.ts, scripts/slack-edit.ts), adding reactions (scripts/slack-react.ts), and uploading files (scripts/slack-emoji-upload.ts).\n
Sanitization: The skill does not perform any sanitization or validation of the ingested message content before presenting it to the agent.\n- [COMMAND_EXECUTION]: The scripts/slack-auth.ts script utilizes child_process.exec to open the OAuth URL in the user's browser. Although the URL components are currently escaped with encodeURIComponent, the use of exec to handle system commands is a security anti-pattern compared to safer alternatives like spawn, as it involves shell interpretation.

slack