Slack助手

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Slack helper, but it asks users to enable broad Slack actions without clear permission scoping, privacy warnings, or confirmation guidance for sensitive reads and external writes.

Review before installing. Use a dedicated Slack app with only the scopes needed for your intended use, avoid broad workspace tokens, require explicit confirmation before posting, inviting users, creating channels, searching history, or uploading files, and do not provide paths to sensitive local files or secrets unless you intend to share them in Slack.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The documented OAuth scopes only include chat:write, channels:read, and channels:history, but the examples also perform channel creation/invites and file upload. This mismatch can cause operators to broaden permissions ad hoc or deploy a token that behaves unpredictably, increasing the chance of over-privileged Slack apps and unsafe handling of sensitive workspace data.

Intent-Code Divergence

Low

Confidence: 77% confidence
Finding: The comment says the function lists public channels, but the code calls conversations_list without enforcing a public-channel-only filter. In practice this can expose metadata from additional conversation types depending on token scopes and defaults, which may mislead users about what data the assistant is accessing.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation keywords are very broad everyday terms like 'Slack', '消息', and '通知', making accidental invocation likely in normal conversation. In a skill that can send messages, search history, create channels, and upload files, unintended activation can lead to unintended data access or external actions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill presents message search and channel history retrieval as normal usage without warning that this may expose sensitive team communications to the assistant or downstream users. In a collaboration platform context, message history often contains confidential operational, personal, or security-related data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file-upload functionality is documented without warning that local files may be transmitted to Slack, potentially exfiltrating sensitive data outside the assistant's local context. Users may not realize that selecting a path can send confidential reports, logs, or secrets into a shared workspace.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill normalizes searching and retrieving Slack history through an assistant interface, which increases the chance that sensitive team content is surfaced, summarized, or relayed beyond its original audience. The risk is heightened because the examples emphasize convenience and omit safeguards around authorization, minimization, and user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal