slack-respond
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands that incorporate variables derived directly from untrusted Slack message content (e.g.,
MESSAGE_TEXT,DISPLAY_NAME). This pattern is vulnerable to command injection if the agent interpolates these strings into the command line without proper shell escaping.\n- [DATA_EXFILTRATION]: The skill repeatedly executessource ~/.zshrc 2>/dev/nullbefore running its scripts. This practice is insecure as shell profile files frequently contain sensitive environment variables, API keys, and private configuration data that are then exposed to the execution environment.\n- [PROMPT_INJECTION]: The skill's core functionality involves processing external data from Slack to drive a cognitive pipeline and determine tool usage. This creates an attack surface for indirect prompt injection.\n - Ingestion points: Slack messages retrieved via the
slack_check.pyinbox listing.\n - Boundary markers: The skill uses XML tags for output structuring, but lacks explicit delimiters or instructions for the agent to ignore embedded commands within the incoming message text during the perception step.\n
- Capability inventory: The skill allows for arbitrary shell command execution, file system access (reading
~/.zshrcandsoul.md), and network communication through Slack integration scripts.\n - Sanitization: No sanitization or validation of the Slack message content is mentioned in the instructions before it is passed to processing scripts.
Audit Metadata