slack

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill spec exposes explicit, powerful data-access and credential-import capabilities (browser/profile imports, parse-curl token ingestion, automatic attachment downloads with absolute local paths, and external-invite flows) that can be directly abused for credential theft and data exfiltration, though there is no evidence of obfuscated/backdoor code or hidden remote-control channels in the content.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and ingests user-generated Slack content (messages, threads, files, canvases, and downloaded attachments) as shown in SKILL.md and the references (e.g., slack message get/list, slack search, slack canvas get), and that content is read by the agent and can directly influence actions like drafting/sending/editing/deleting messages, creating a clear avenue for indirect prompt injection.