slack-automation
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to add an external MCP server endpoint (https://rube.app/mcp) to their client configuration. This third-party service acts as the gateway for all Slack operations and is not from a recognized trusted provider.\n- [DATA_EXFILTRATION]: All Slack operations, including reading private messages, searching workspace history, and listing user details, are processed through the rube.app infrastructure. This setup transmits sensitive workspace data to a third-party service, creating a potential point of data interception or unauthorized access.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks because it processes untrusted message content from Slack.\n
- Ingestion points: External data enters the agent context via tools like SLACK_SEARCH_MESSAGES and SLACK_FETCH_CONVERSATION_HISTORY (SKILL.md).\n
- Boundary markers: No delimiters or instructions are provided to help the agent distinguish between its own instructions and content retrieved from Slack messages.\n
- Capability inventory: The skill allows the agent to send messages and manage channels, which could be abused if malicious instructions are present in the Slack data.\n
- Sanitization: There is no evidence of content validation or filtering before retrieved data is used by the agent.
Audit Metadata