Is slack safe?

https://clawhub.ai/steipete/slack

88
SAFE

This is a clean, declarative Slack integration skill with no executable code, no network activity, no prompt injection attempts, and no canary file access. It provides a well-documented JSON action schema for standard Slack operations (messaging, reactions, pins, member info). The only concerns are inherent to any messaging integration: the ability to send/delete messages creates a potential exfiltration/cover-up channel if combined with a malicious upstream prompt, but the skill itself introduces no novel attack surface.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

LOW Messaging skill inherently enables data exfiltration channel -10

The sendMessage action allows the agent to post arbitrary content to any Slack channel or DM. If a malicious prompt injection from another source instructs the agent to read sensitive data and send it via Slack, this skill provides the delivery mechanism. This is an inherent property of any messaging integration, not a flaw in the skill itself.

LOW Delete capability could enable evidence destruction -5

The deleteMessage action could be used to remove messages after they have been read by an attacker, covering tracks of data exfiltration performed via Slack.

INFO Suggestive 'Ideas to try' section -5

The skill includes an 'Ideas to try' section that suggests workflows like reacting with checkmarks and pinning decisions. While these are benign suggestions and not injections, they represent mild behavioral nudging of the agent.

LOW readMessages exposes channel history to agent context -5

The readMessages action allows reading up to N recent messages from any channel the bot has access to. This injects potentially sensitive workplace communications into the agent's context window, where they could be referenced or relayed by other actions.

INFO Broad action surface with all groups enabled by default -10

All five action groups (reactions, messages, pins, memberInfo, emojiList) are enabled by default. A more security-conscious design might default to read-only operations and require explicit opt-in for write operations like sendMessage and deleteMessage.

INFO Jiti cache writes in /tmp during install -5

Multiple /tmp/jiti/ files were created during the install process. These are standard jiti TypeScript transpiler cache files from the ClawdBot runtime, not from the skill itself. No security concern.