slack
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill includes commands to access sensitive local data. Specifically, the
agent-slack auth import-desktop,auth import-chrome, andauth import-firefoxcommands allow the agent to extract Slack authentication tokens directly from the user's local system and browser profiles. While these are documented features, they represent a high-risk capability for credential exposure if the agent is manipulated. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it processes untrusted content from external Slack workspaces.
- Ingestion points: Data enters the context through
agent-slack message get,agent-slack message list, andagent-slack searchoperations which read message text and file contents from Slack. - Boundary markers: The instructions lack delimiters or explicit warnings for the agent to ignore instructions embedded within the Slack data it retrieves.
- Capability inventory: The agent has the power to send messages, delete content, and invite external users to channels via the
agent-slack channel invite --externalcommand. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from Slack before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill relies on the
agent-slackCLI tool. AlthoughSKILL.mdprovides rules for the agent to follow when constructing commands (e.g., avoiding quotes or redirects), these are natural language constraints rather than technical enforcements, leaving the system open to abuse if the agent's behavior is modified by an injection attack.
Audit Metadata