Back to skill

Security audit

Slack Hub Skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says for Slack, but it can use a bot token to post, search workspace content, and list private-channel metadata beyond the documented public-channel scope.

Review before installing. Use a narrowly scoped Slack bot token, store it as a secret, and only enable this skill where agents are allowed to post to Slack and search workspace content. Be aware that the current code can request private-channel listing despite the documentation saying public channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The CLI exposes `conversations.list` for both public and private channels, enabling workspace channel enumeration without any access control, justification, or limiting context. In an agent skill, this materially increases the ability to map internal communication surfaces and identify sensitive channels for later targeting or data collection.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises workspace-wide search over messages and files without any warning that results may include sensitive internal communications, credentials, personal data, or confidential documents. In an agent context, exposing broad search capability without clear scope limits or user warning increases the chance of over-collection and unintended disclosure of sensitive Slack content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to supply a Slack bot token but does not warn that the token is a sensitive credential that can grant messaging and search access to the workspace. Omitting secure-handling guidance increases the risk of accidental exposure in source control, logs, screenshots, or shared environment files, which could enable unauthorized Slack access.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code sends arbitrary message content to Slack via `chat.postMessage` without any user-facing disclosure, approval step, or policy check. In an agent context, that allows silent outbound communications, which can be abused for spam, impersonation, social engineering, or covert data exfiltration to attacker-controlled channels if inputs are influenced by an adversary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.