agent-slack

The skill’s stated purpose (Slack workspace interaction with multi-workspace support and memory persistence) is broadly coherent with its capabilities. However, there are notable security mismatches: automatic, silent credential extraction from the Slack desktop app and storage of tokens in local files/memory introduce substantial credential-risk and potential data leakage. While the installation source (agent-messenger via official registries) is standard, the credential handling pattern and memory persistence design warrant elevated scrutiny. Overall, the footprint is SUSPICIOUS due to credential access and data persistence patterns that are not tightly scoped or explicitly consent-driven, though not clearly malicious without evidence of exfiltration code. Treat as suspicious with emphasis on reviewing authentication flows, credential storage safeguards, and data retention policies before deployment in production environments.

The documentation describes a tool that intentionally harvests Slack web session tokens and cookies from the local Slack desktop app and stores them in plaintext for reuse. The behavior is not obfuscated and appears purposeful, but it is intrinsically sensitive and high-privilege: if the implementation or distribution is compromised, an attacker could impersonate the user across workspaces and exfiltrate or manipulate workspace data. I recommend: only obtain and run the implementation from trusted, vetted sources; audit the actual code that performs LevelDB reads and Keychain access; require explicit user consent for Keychain access; prefer encrypting credentials at rest (and/or use ephemeral tokens); and rotate/revoke tokens after use. Treat this package as high-privilege and audit its supply chain prior to use.