slack-cli-read
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill instructs the agent to access highly sensitive credentials (TOKEN and D_COOKIE) stored at
~/.config/slack/slack.env. - [COMMAND_EXECUTION] (HIGH): The command map includes
slack api curl <endpoint> -- [curl args]. This allows the agent to pass arbitrary flags to curl, which can be abused to read local files, bypass security controls, or execute network requests outside of the Slack API. - [DATA_EXFILTRATION] (HIGH): Because the agent has access to the Slack environment file and a raw curl wrapper, an attacker can easily craft an instruction that forces the agent to exfiltrate the
slack.envcontent to an external server. - [PROMPT_INJECTION] (HIGH): This skill is highly vulnerable to Indirect Prompt Injection (Category 8):
- Ingestion points: It reads Slack messages, threads, and DM history across multiple commands in
SKILL.md. - Boundary markers: None. The skill does not provide any delimiters or instructions to ignore embedded commands in the messages it reads.
- Capability inventory: It has high-privilege tools including
slack api callandslack api curl(with arbitrary arguments). - Sanitization: None. Data from external Slack messages is passed directly into the agent's context where it can influence the execution of the powerful CLI tools.
Recommendations
- AI detected serious security threats
Audit Metadata