slack
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.runwithshell=Trueinscripts/slack_cdp.pyto execute system-level commands. These commands are used to launch or restart the Slack desktop application with remote debugging enabled (--remote-debugging-port), as well as to manage processes on macOS, Linux, and Windows. - [DATA_EXFILTRATION]: The skill facilitates the extraction of sensitive information from the user's Slack workspace. It can fetch unread messages, perform searches, and retrieve items saved for later. This data is exposed to the AI agent context, which could lead to unauthorized data transmission if the agent is compromised or misdirected.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves untrusted text from external Slack messages and passes it to the agent without sanitization.
- Ingestion points: Message body text, channel names, and sender names are ingested via
scripts/unreads.py,scripts/search.py, andscripts/later.py. - Boundary markers: There are no clear delimiters or instructions provided to the agent to help it distinguish between message data and system instructions.
- Capability inventory: The skill provides the agent with the ability to send messages (
scripts/reply.py), react with emojis (scripts/emoji.py), and manage local processes (scripts/slack_cdp.py). - Sanitization: The skill does not perform any validation, filtering, or escaping of the message content before returning it to the agent.
Audit Metadata