slack-user-cli
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes functionality to extract sensitive Slack session tokens (xoxc-) and browser cookies (d) directly from the local environment.\n
- The
login --autocommand uses theslacktokenslibrary to access the macOS Keychain and the Slack desktop app's LevelDB database to retrieve active session data.\n - The
login --browsercommand reads the user's clipboard using thepbpastesystem command to import workspace configurations.\n- [COMMAND_EXECUTION]: The Python script executes thepbpastecommand via thesubprocessmodule to read data from the system clipboard during the authentication process.\n- [DATA_EXFILTRATION]: Extracted session credentials, which grant full access to the user's Slack account, are stored in plain text (JSON) in the local configuration directory at~/.config/slack-user-cli/config.json.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it processes untrusted data from an external source.\n - Ingestion points: Commands like
read,thread,url, andsearchfetch and display arbitrary message content from Slack channels and DMs inscripts/slack_user_cli.py.\n - Boundary markers: The skill does not use specific delimiters or instructions to prevent the agent from following commands embedded within Slack messages.\n
- Capability inventory: The script possesses write capabilities, including sending messages, uploading files, and editing Slack canvases (using Slack API methods), which could be abused if an injection is successful.\n
- Sanitization: While the script performs basic HTML-to-text conversion for canvases, it does not sanitize or escape message content to prevent the agent from interpreting embedded instructions.
Audit Metadata