slack

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The documentation presents a coherent, purpose-driven CLI tool for Slack interaction with token handling aligned to recommended practices. Data flows are legitimate Slack API interactions, and there is no evident malicious behavior in the fragment. The setup and wrapper guidance support secure usage when followed correctly. LLM verification: This skill's stated purpose (Slack CLI that searches and posts messages) matches the requested capabilities and OAuth scopes. The primary security concerns are operational: it asks for a user OAuth token (xoxp) which is more powerful than a bot token and increases risk if compromised, and it instructs users to add and run wrapper scripts from a user-writable directory without providing the script sources for audit. There is no direct evidence in the provided documentation that the skill is malic