agent-slack
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill performs automated extraction of sensitive Slack authentication tokens (
xoxc) and cookies (xoxd) from the local Slack desktop application's internal databases. On macOS, it specifically attempts to access the system Keychain to decrypt stored session cookies. - [DATA_EXFILTRATION]: The tool accesses sensitive local application data directories (e.g.,
~/Library/Application Support/Slack/, LevelDB, and Cookie databases) to obtain authentication materials. - [COMMAND_EXECUTION]: The skill relies on executing the
agent-slackCLI tool through Bash, which performs file system reads and network operations to interact with the Slack API. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from external Slack workspaces. Instructions embedded in Slack messages, channel topics, or user profiles could potentially influence the agent's behavior.
- Ingestion points: Slack messages, channel history, search results, and user profiles retrieved via
agent-slack message listoragent-slack snapshot. - Boundary markers: None identified in the command output formats.
- Capability inventory: Sending messages, uploading files, reading channel history, and managing reactions across the workspace.
- Sanitization: No explicit sanitization of message content before processing is documented.
Audit Metadata