slack-messaging

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs extracting browser session tokens (xoxc/xoxd) and shows commands that embed those tokens directly as CLI arguments, requiring the agent to handle and output secrets verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The direct GitHub release link is potentially high-risk because it serves a prebuilt executable from an unfamiliar/low‑profile account (unknown maintainer, no vetting) which is a common malware distribution pattern, while the three slack.com workspace URLs are official Slack subdomains/placeholders and are low risk on their own.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill reads and parses user-generated Slack content (e.g., via "slackcli conversations read", "conversations list", and message JSON output) from public/private channels and DMs, exposing the agent to untrusted third-party content that could carry indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt instructs installing a binary into /usr/local/bin and changing its permissions (modifying system-wide filesystem locations that typically require sudo), which alters the machine's state and can be used to compromise it.