slack-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill creates a significant attack surface for indirect prompt injection. It ingests untrusted data from Slack messages and has powerful capabilities that can be triggered by that data.
- Ingestion points: The skill reads data from
conversations.history(line 147),search.messages(line 187), andconversations.replies(line 215). - Boundary markers: None. The skill documentation does not provide delimiters or instructions for the agent to ignore embedded commands within the Slack messages it reads.
- Capability inventory: The skill has the capability to send messages (
chat send, line 53), update/delete messages (lines 72-76), upload files (line 83), and perform direct API POST requests (chat.postMessage, line 133). - Sanitization: None. Data from Slack is passed directly into commands and
jqfilters. - [Unverifiable Dependencies] (MEDIUM): The skill requires
slack-cliviabrew install rockymadden/rockymadden/slack-cli. This is a third-party Homebrew tap from an unverified user, posing a risk of supply chain compromise. - [Command Execution] (MEDIUM): The skill relies on complex shell command construction, including piping output to
xargs(line 79) and embedding subshells incurlheaders (line 123). This pattern is vulnerable to command injection if the agent interpolates unescaped user-controlled strings into these templates.
Recommendations
- AI detected serious security threats
Audit Metadata