slack-personal

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The URL points to a GitHub repo for a CLI that explicitly extracts Slack session tokens by reading macOS Keychain/LevelDB—while GitHub hosting is not inherently malicious, running this untrusted code would grant access to highly sensitive credentials and is therefore high risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This code explicitly extracts Slack credentials from the macOS Keychain and Slack LevelDB (decrypting the cookie, scanning for xoxc- tokens), caches them locally, and uses them to act as the user — a high-risk credential-theft capability that can be abused to impersonate the user even though it does not stealthily send that data to unknown external servers.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly reads user-generated Slack content (channels, DMs, threads, saved items, search results and pins) via Slack API calls such as conversations.history, conversations.replies, search.messages, saved.list and pins.list, so the agent will ingest untrusted third‑party messages that could carry indirect prompt injections.