slack-notifications
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The file commands/slack-notifications.md includes the directive 'follow it exactly as presented to you', which is a prompt injection attempt designed to bypass standard operational constraints and prioritize the skill's specific instructions.
- [PROMPT_INJECTION]: The SKILL.md file mandates a 'Memory Protocol' that forces the agent to read from and write to specific local files (learnings.md, issues.md, decisions.md) to maintain behavioral state. This serves as an instruction-driven persistence mechanism that could be used to manipulate future agent interactions.
- [DATA_EXFILTRATION]: The skill provides an upload-file tool that enables the agent to send local filesystem data to external Slack channels. This capability, combined with example commands targeting specific paths like 'C:\reports\weekly.pdf', represents a significant data exfiltration risk if the agent is misled by malicious input.
- [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection:
- Ingestion points: Tools such as channel-history and list-files retrieve untrusted content from external Slack workspaces into the agent's active context (documented in SKILL.md).
- Boundary markers: There are no defined delimiters or safety instructions provided to help the agent distinguish between its own system instructions and potentially malicious commands embedded within the retrieved Slack data.
- Capability inventory: The agent is granted high-privilege capabilities including file uploads (upload-file), message broadcasting (post-message), and general shell access (Bash), which could be triggered by instructions found in Slack messages.
- Sanitization: The skill lacks any mechanism to sanitize or validate data fetched from Slack before it is presented to the agent's reasoning engine.
Audit Metadata