slack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the user to paste their Slack access token and shows running scripts with the token as a command-line argument (e.g., npx tsx scripts/slack-app-create.ts ), which requires the agent to receive and potentially include the secret verbatim in commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads user-generated Slack content via the Slack Web API (see scripts/slack-history.ts, slack-threads.ts, slack-search.ts and scripts/slack-users.ts) and SKILL.md workflows (e.g., "Read and respond to a thread") instruct the agent to read and act on that untrusted third-party content, so messages from arbitrary workspace users can materially influence subsequent actions.