slack
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from Slack messages. 1. Ingestion points: Slack content is read via agent-browser snapshot and agent-browser get text in SKILL.md and references/slack-tasks.md. 2. Boundary markers: No delimiters or instructions to ignore embedded commands are present in the skill files. 3. Capability inventory: The skill uses agent-browser (via Bash in SKILL.md) to perform actions like click, fill, press, and open, allowing for extensive interaction with the web environment. 4. Sanitization: No data sanitization or validation routines are described for handling extracted Slack content.
- [DATA_EXFILTRATION]: The skill's core functionality is to access and extract sensitive information from Slack workspaces, including private conversations, user lists, and shared files.
- [COMMAND_EXECUTION]: The skill relies on the execution of agent-browser commands through a shell interface to automate browser interactions.
Audit Metadata