Is icyfrosty/slack-hub-skill safe?

https://github.com/openclaw/skills/tree/main/skills/icyfrosty/slack-hub-skill

84
SAFE

The Slack Hub Skill is a functional Slack API integration with clean SKILL.md (no prompt injection) and no malicious install-time behavior. The primary concern is an anomalous .clawhub/lock.json that references an unrelated skill ('academic-research-hub') and may attempt to manipulate OpenClaw's lock state. The skill's broad Slack capabilities (send, search, list) combined with a bot token requirement create meaningful data-exfiltration risk if the agent is adversarially prompted, though the skill code itself does not initiate unauthorized outbound connections.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

HIGH Anomalous .clawhub/lock.json references unrelated skill -28

The skill ships a .clawhub/lock.json that records 'academic-research-hub' version 0.1.0 as installed (installedAt: 1770957475341). This skill has no declared relationship to academic-research-hub. If the OpenClaw runtime treats this file as authoritative lock state, installation of this skill could cause the platform to believe academic-research-hub is already installed, potentially bypassing its own security scan, version checks, or installation prompts.

MEDIUM SLACK_BOT_TOKEN credential requirement in .env file -8

The skill instructs users to place a Slack Bot Token (xoxb-...) in .env as SLACK_BOT_TOKEN. This concentrates a high-privilege OAuth credential in a plain-text file. Any skill or code co-installed that reads environment variables or .env files obtains full Slack API access under the token's scopes.

MEDIUM Slack capabilities enable agent-assisted data exfiltration -15

The slack_send tool allows posting arbitrary text to any channel the bot token can access. A compromised or adversarially prompted agent could use this as an exfiltration channel — reading sensitive files or environment variables via other tools, then relaying them to an attacker-controlled Slack workspace. The skill itself does not initiate this, but it completes the exfiltration pipeline when combined with file/env access.

MEDIUM slack_search exposes private workspace message content -5

The slack_search tool calls search.messages against the full workspace. Depending on the bot token's OAuth scopes (search:read), this can return content from private channels and direct messages. An active agent could be instructed to search for keywords like 'password', 'secret', or 'key' and return results.

LOW Executable Python entrypoint included -8

slack_hub.py is a runnable Python script with an if name == 'main' block and argparse-based CLI. This is expected for a tool skill but represents executable code that will be invoked by the agent runtime with network access.

LOW Post-install connections are platform gateway, not skill-initiated -15

Two new established TCP connections to 54.211.197.216:443 appear after installation but are attributed entirely to the openclaw-gateway process (pid=1092) which was running before installation. Not caused by the skill itself.

INFO 'hardened: true' metadata claim is unverifiable -3

skill.json sets 'hardened: true' in the metadata block. This claim has no supporting evidence in the code or documentation and may create a false sense of security in consumers who check this field.

INFO Canary files read multiple times — consistent with audit infrastructure -10

Credential canary files (.env, id_rsa, .aws/credentials, etc.) show multiple read accesses across the monitoring window. Timing analysis places accesses at audit-start (baseline hash), mid-session (GNOME/platform startup), and audit-end (post-install hash comparison). All files confirmed intact with no write or send syscalls correlated.