The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill extracts active Slack session credentials from the local filesystem and macOS Keychain to facilitate session-based authentication.
Evidence in src/auth.js: Uses security find-generic-password to retrieve the 'Slack Safe Storage' key from the macOS Keychain.
Evidence in src/auth.js: Decrypts the Slack session cookie ('xoxd-') using AES-128-CBC via openssl.
Evidence in src/auth.js: Scans LevelDB files in ~/Library/Application Support/Slack/Local Storage/leveldb to extract 'xoxc-' session tokens.
Credentials are cached locally in plaintext in ~/.local/slk/token-cache.json.
[PROMPT_INJECTION] (HIGH): This skill introduces a critical Indirect Prompt Injection surface by allowing an agent to read attacker-controlled content and perform side effects.
Ingestion points: Commands such as slk read, slk thread, and slk search (implemented in src/commands.js) ingest untrusted message data from Slack into the agent context.
Boundary markers: No delimiters or instructions are provided to the agent to treat Slack message content as untrusted data.
Capability inventory: The agent can execute side effects using slk send, slk react (in src/commands.js), and slk draft (in src/drafts.js).
Sanitization: No filtering or sanitization of ingested Slack content is performed before presentation to the AI.
[REMOTE_CODE_EXECUTION] (HIGH): The tool executes code via external system interpreters at runtime.
Evidence in src/auth.js: Uses spawnSync('python3', ['-c', ...]) to execute a hardcoded Python script block for parsing Snappy-compressed LevelDB data.
[COMMAND_EXECUTION] (HIGH): Relies on the execution of multiple system-level binaries with sensitive permissions.
Evidence in src/auth.js: Spawns security, sqlite3, openssl, and curl using execSync and spawnSync to access protected system data and perform network operations.

slack-personal