slack-skill
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
slack_bridge.pyscript executes theclaudecommand-line interface usingsubprocess.runto process incoming messages. - Evidence: The script uses the
--dangerously-skip-permissionsflag, which explicitly instructs the underlying agent to bypass manual confirmation for high-risk operations (like file modification or shell execution). - Evidence: Commands are constructed using data received directly from Slack users, creating a path for remote system control if the user whitelist is misconfigured or a Slack account is compromised.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its Slack listener component.
- Evidence Chain:
- Ingestion points:
slack_bridge.pyingests untrusted text from Slack DMs and channel mentions via thehandle_messagefunction. - Boundary markers: None. The Slack message content is directly appended to a system-level prompt inside the
run_claude_codefunction. - Capability inventory: The system prompt explicitly informs the processing agent that it has 'full access to this workspace including Obsidian vault, skills, and tools' and 'can read files, send emails, etc.'
- Sanitization: There is no input sanitization or escaping performed on the Slack message text. The only guardrail is a hardcoded
ALLOWED_USERSwhitelist inslack_bridge.py. - [EXTERNAL_DOWNLOADS]:
slack_skill.pycontains adownloadcommand that fetches files from Slack's servers and writes them to the local file system. - Evidence: The
cmd_downloadfunction usesurllib.requestwith the user's bot token to save remote files to/tmpor a user-specified path.
Recommendations
- AI detected serious security threats
Audit Metadata