Is jilycn/slack-extended safe?

https://github.com/openclaw/skills/tree/main/skills/jilycn/slack-extended

85
SAFE

slack-extended is a structurally clean Slack integration skill whose Python scripts exclusively communicate with official Slack API endpoints using stdlib HTTP, with no prompt injection, hidden instructions, remote code execution, or canary file exfiltration detected during the audit. The principal risk is the unrestricted file upload path: any readable local file can be sent to a Slack channel, creating a meaningful exfiltration vector if an agent is socially engineered or given ambiguous instructions. Bookmark and canvas access controls add secondary phishing and privilege-propagation risks that are low-probability but non-zero in an agentic context.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 57/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 73/100 · 5%

Findings (7)

HIGH Unrestricted Filesystem Path in File Upload -38

slack_file_upload.py accepts any absolute or relative path via --file with no allowlist, denylist, or working-directory restriction. os.path.abspath() resolves traversal but does not sandbox. An agent manipulated by a malicious prompt or ambiguous user instruction (e.g. 'share the config file') could upload ~/.ssh/id_rsa, ~/.aws/credentials, .env, or any other user-readable file directly to a Slack channel, where it persists and is visible to all channel members and any Slack integrations with message-read access.

MEDIUM Bookmark Injection Enables Channel-Level Phishing -15

The bookmarks.add subcommand posts a link bookmark to any channel's persistent bookmark bar with a user-controlled title and URL. No URL scheme validation or domain allowlist is applied. A manipulated agent could add a URL like 'https://attacker.example.com/login' with title 'Company SSO' to a high-traffic channel, visible to all members on every session.

MEDIUM Canvas Write Access Propagation to Arbitrary Principals -12

The canvas access subcommand calls canvases.access.set with user-supplied channel_ids or user_ids and access_level=write. An agent instructed to 'share' a canvas could grant write access to unintended channels or external user IDs, including guests. No confirmation step exists in the script.

LOW Config Path Leaked in Error Messages -5

All three scripts print CONFIG_PATH to stderr when the bot token is missing. In environments where stderr is logged or captured, this exposes the credential file location to log aggregators or monitoring systems.

LOW Scripts Execute with Full Host-User Permissions -5

Python scripts run as the agent's host user with no privilege dropping, seccomp filtering, or filesystem namespace isolation. This is standard for CLI tools but in an agent context means the scripts inherit access to all files, sockets, and resources available to the user.

INFO Generic File Path Examples Normalize Broad Filesystem Access -5

SKILL.md examples reference paths like ./notes.txt and results.csv without constraining to a working directory. Agents may interpret these patterns as permission to reference any relative path, slightly increasing the probability of accidentally uploading sensitive files from unexpected directories.

INFO Sparse Git Checkout Pattern is Legitimate 0

Installation clones the openclaw/skills monorepo with --depth 1 --no-checkout, then uses git sparse-checkout to extract only the target skill path before copying files. This is the expected installation mechanism for the openclaw marketplace and requires only github.com network access.