agent-slackbot
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from Slack messages through tools like 'message list', 'message get', and 'message replies'. This creates an indirect prompt injection surface where external users could influence the agent's behavior by posting malicious instructions in monitored channels. 1. Ingestion points: 'message list', 'message get', and 'message replies' in SKILL.md. 2. Boundary markers: Absent; message content is read without specific delimiters or isolation instructions. 3. Capability inventory: The Bash(agent-slackbot:*) tool allows the agent to send, update, and delete messages, and manage reactions. 4. Sanitization: Absent; message content is treated as raw text.
- [CREDENTIALS_UNSAFE]: Slack Bot tokens (xoxb-) are stored in plaintext within the local configuration file '~/.config/agent-messenger/slackbot-credentials.json'. Although the skill attempts to secure the file with 0600 permissions, storing sensitive access tokens without encryption is a security risk. Evidence found in references/authentication.md.
Audit Metadata