slack
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): The skill creates a surface for indirect prompt injection by ingesting untrusted external data and possessing impactful capabilities.\n
- Ingestion points: The agent retrieves potentially malicious instructions from Slack via
conversations.history,conversations.list, andusers.list(SKILL.md).\n - Boundary markers: There are no instructions or delimiters provided to the agent to distinguish between its system instructions and the untrusted content retrieved from Slack.\n
- Capability inventory: The skill allows for significant workspace modifications, including
chat.postMessage,chat.update,chat.delete,files.upload, andreactions.add(SKILL.md).\n - Sanitization: The skill does not implement or suggest any sanitization, validation, or filtering of the content retrieved from the Slack API before processing it.\n- Data Exposure & Exfiltration (LOW): The skill initiates network requests to
slack.com. While this is functional and intended, the domain is not part of the trusted whitelist, and the operations involve a sensitive bot token.
Audit Metadata