slack

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High-risk: the code intentionally grants automated model-driven tool access (includes "Bash", "WebFetch"/tools), uses permission_mode="bypassPermissions", and runs a persistent Socket Mode listener + auto-hooks that process untrusted Slack input into a session with resume/persistent memory (SQLite, logs, exportable user models), creating a stealthy channel that can execute shell tools, access local data, and exfiltrate information if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Session Bridge and daemon explicitly read Slack user-generated content (see SKILL.md and references/session-bridge.md: slack_listen.py → daemon/inbox.jsonl and claude_handler.py) and feed those untrusted DMs/@mentions into the agent for processing with full tool access, so third-party Slack messages can materially influence actions.