slack
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- External Downloads (HIGH): The installation command
npx skills add HartreeWorks/skill--slackdownloads and executes code from an untrusted GitHub repository. The 'HartreeWorks' organization is not within the defined trusted scope, presenting a risk of supply chain compromise. - Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from Slack, including 'messaging, activity digests, and message history' (README.md). This content enters the agent's context and can contain malicious instructions intended to bypass safety filters or manipulate agent behavior (Category 8). There are no visible sanitization or boundary markers in the provided configuration files.
- Credentials Unsafe (MEDIUM): The
config.example.jsonhighlights that the skill requiresxoxcandxoxdsession tokens. These provide significant access to user accounts compared to standard bot tokens, increasing the impact if the skill or its host environment is compromised. - Data Exposure (LOW): The
digest-config.jsonfile contains a hardcoded absolute local path (/Users/ph/.claude/skills/...), which discloses information about the developer's local filesystem and indicates the skill performs file-writing operations.
Recommendations
- AI detected serious security threats
Audit Metadata