slack
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is inherently subject to indirect prompt injection risks because it processes untrusted data from Slack messages. A malicious user in a shared Slack channel could attempt to manipulate the agent's behavior by embedding instructions in their messages. \n
- Ingestion points: Untrusted data enters the agent context via daemon/inbox.jsonl (populated by the background listener), slack_read.py, and slack_search.py.\n
- Boundary markers: The daemon architecture documentation (references/daemon-architecture.md) specifies the use of fencing blocks to delineate user messages as untrusted input.\n
- Capability inventory: The skill possesses significant capabilities, including the ability to post messages, upload files, and execute arbitrary shell commands through the underlying Claude agent tools.\n
- Sanitization: Mitigation depends on the agent correctly interpreting prompt-level delimiters and the fencing described in the skill's instructions.\n- [COMMAND_EXECUTION]: The Session Bridge and unified launcher components utilize the subprocess module and the Claude Agent SDK to invoke the agent's reasoning and tool-use capabilities. This design is central to the skill's functionality as a Slack-to-Terminal bridge.\n- [SAFE]: Persistence is implemented through standard macOS launchd configuration files to maintain the background listener process. This behavior is fully documented and required for the Session Bridge feature to function across system restarts.
Audit Metadata