slack-automation
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires connecting to an external Model Context Protocol (MCP) server at 'https://rube.app/mcp'. While this is the core infrastructure for the skill's functionality, it represents a dependency on a third-party service that processes user data.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from Slack conversations and has the capability to perform actions based on that data.
- Ingestion points: Untrusted data enters the agent context via 'SLACK_SEARCH_MESSAGES', 'SLACK_FETCH_CONVERSATION_HISTORY', and 'SLACK_FETCH_MESSAGE_THREAD_FROM_A_CONVERSATION'.
- Boundary markers: The skill documentation does not mention the use of delimiters or warnings to ignore instructions embedded in the Slack messages it retrieves.
- Capability inventory: The skill possesses capabilities to write back to the environment, including 'SLACK_SEND_MESSAGE', 'SLACK_SCHEDULE_MESSAGE', 'SLACK_ADD_REACTION_TO_AN_ITEM', and 'SLACK_UPDATES_A_SLACK_MESSAGE'.
- Sanitization: There is no evidence of sanitization or validation of the retrieved message content before it is processed by the agent.
Audit Metadata