slack-agent
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Command Execution]: The skill guides the agent through project initialization, which involves running shell commands such as
git clone,pnpm install, andvercel. These operations are fundamental to the skill's primary purpose as a setup wizard for Slack applications and are directed toward well-known tools and platforms. - [External Downloads]: The setup process involves cloning a project template from a trusted GitHub repository associated with the vendor and installing established Node.js dependencies (e.g.,
@slack/bolt,ai) from the public registry. These actions are documented and necessary for the development environment setup. - [Data Management]: The skill assists the user in configuring sensitive environment variables like
SLACK_BOT_TOKENandSLACK_SIGNING_SECRET. It incorporates explicit developer guidance and automated checks to ensure these credentials are stored in.envfiles and excluded from version control via.gitignore, adhering to security best practices. - [User-Controlled Input]: The wizard collects user descriptions of the intended bot to generate implementation plans and customize the
manifest.json. To mitigate risks associated with processing this input, the skill includes a mandatory 'Approve Plan' phase, serving as a human-in-the-loop verification step before the agent proceeds with implementation.
Audit Metadata