slack
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from Slack workspaces, such as messages, threads, and channel topics.
- Ingestion points: Untrusted data from Slack enters the agent's context through commands such as
agent-browser snapshot,agent-browser get text, andagent-browser screenshotas detailed inSKILL.mdandreferences/slack-tasks.md. - Boundary markers: The skill documentation does not provide specific instructions or delimiters to separate Slack content from the agent's core instructions, increasing the risk of the agent following instructions embedded in messages.
- Capability inventory: The agent has access to powerful browser automation tools via
Bash(agent-browser:*), including the ability to click interactive elements, fill forms, and navigate between workspace areas. - Sanitization: No sanitization, filtering, or validation of content retrieved from Slack is documented before it is passed to the agent.
- [EXTERNAL_DOWNLOADS]: The skill utilizes
npx agent-browserto run automation tools, which are resources provided by the vendor.
Audit Metadata