The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The extract-tokens.js script extracts sensitive Slack session tokens (xoxc) and cookies (xoxd) by accessing the macOS Keychain with the security command and reading Slack's local application data files, including ~/Library/Application Support/Slack/Cookies and root-state.json.
[COMMAND_EXECUTION]: The skill uses execSync to run several system binaries, including security, sqlite3, defaults, strings, and sw_vers. These are used to decrypt local databases and gather detailed system configuration to emulate a Slack desktop client.
[DATA_EXFILTRATION]: The skill automatically harvests credentials from the host system and prints them to the standard output. Additionally, it sends the decrypted session cookie to Slack's servers to obtain further authentication tokens, which is a pattern commonly used for automated account access.
[PROMPT_INJECTION]: The skill ingests untrusted data in the form of Slack messages and thread replies through the search, history, and replies commands.
Ingestion points: Slack message text and blocks retrieved via the Slack API (processed in slack-client.js).
Boundary markers: None identified in the prompt templates or instructions; the agent is not instructed to ignore embedded instructions within retrieved messages.
Capability inventory: The skill has network permissions and the ability to execute shell commands via execSync in extract-tokens.js and slack.js.
Sanitization: There is no evidence of sanitization or filtering applied to message content before it is presented to the agent.

slack-explorer