slack
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection risk due to external data ingestion.
- Ingestion points: The skill fetches message content, thread history, and search results from Slack via several API endpoints (
conversations.history,conversations.replies,search.messages) as seen inSKILL.md. - Boundary markers: Absent. The skill does not implement delimiters or provide instructions to the agent to treat Slack content as untrusted data.
- Capability inventory: The skill utilizes shell execution (
curl,sed,jq) and file system output viamkoutput. - Sanitization: Absent. There is no filtering or sanitization of message text before it enters the agent's context. Malicious Slack messages could contain instructions aimed at manipulating the agent's behavior.
- [DATA_EXFILTRATION] (LOW): Network communication to a non-whitelisted domain.
- The skill uses
curlto send data to and receive data fromslack.com. While this is the intended purpose of the skill, the domain is not included in the predefined trusted whitelist. - [COMMAND_EXECUTION] (SAFE): Use of shell commands for API interaction.
- The skill uses
curl,sed, andjqfor parsing URLs and interacting with APIs. Variables derived from user input (such as queries and URLs) are handled with double quotes or safely encoded viajq -sRr @uri, minimizing the risk of direct command injection.
Audit Metadata