Slack Actions Query
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is vulnerable to instructions embedded in processed data that could manipulate the AI's output.
- Ingestion points: Untrusted data enters the agent's context through the
raw_queryinput (direct user messages from Slack) and thelast meeting summaryfetched from the CRM during the email drafting process. - Boundary markers: The skill does not define explicit delimiters (e.g., XML tags or clear boundary markers) when interpolating untrusted context into the system prompt for Claude Haiku.
- Capability inventory: The skill has read access to CRM data (deals, contacts, meetings) and the capability to queue a
send_emailaction. - Sanitization: No sanitization or filtering logic is mentioned for the
raw_queryor the retrieved meeting summaries before they are processed by the LLM. - Mitigation: The risk is significantly mitigated by the 'preview-then-confirm' flow, which ensures that no emails are sent or records created without an explicit user interaction (button click) on the drafted content.
Audit Metadata