slack-automation
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill requires connecting to an external MCP server located at
https://rube.app/mcp. While necessary for the skill's function, this endpoint is outside the predefined trusted repository list. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill is designed to read and process content from Slack conversations, which is an untrusted data source.
- Ingestion points: Untrusted data enters the agent context through
SLACK_SEARCH_MESSAGES,SLACK_FETCH_MESSAGE_THREAD_FROM_A_CONVERSATION, andSLACK_FETCH_CONVERSATION_HISTORYinSKILL.md. - Boundary markers: Absent. The instructions do not provide delimiters or warnings to the agent to ignore instructions that might be embedded within Slack messages.
- Capability inventory: High. The agent has the ability to send messages, manage channels, and list users across the workspace.
- Sanitization: Absent. There is no mention of sanitizing or escaping the content retrieved from Slack before the agent acts upon it.
Audit Metadata