slack-automation
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The script
scripts/categorize_slack_messages.pycontains a vulnerability surface for indirect prompt injection where untrusted data from Slack messages is interpolated into an LLM prompt. - Ingestion points: Slack message text is ingested via the
fetch_slack_news.pyscript or from local JSON files inscripts/categorize_slack_messages.py. - Boundary markers: The message content is wrapped in simple double quotes within the prompt string (
Message: "{text}"), which can be easily bypassed by an attacker providing a message containing a closing quote and new instructions. - Capability inventory: The skill has permissions to read channel history, list users, search channels, and create new channels across the Slack workspace.
- Sanitization: There is no evidence of sanitization, escaping, or "ignore embedded instructions" warnings applied to the message content before processing.
- [DATA_EXFILTRATION]: The skill transmits potentially sensitive internal Slack communications to an external third-party API for categorization.
- Evidence:
scripts/categorize_slack_messages.pysends message text and links tohttps://openrouter.ai/api/v1using theOPENROUTER_API_KEYprovided in the environment. - Context: While this is necessary for the AI categorization feature, it involves sending organization-private data to an external endpoint not included in the standard whitelist.
Audit Metadata