ClawHub

Slack Actions

v0.1.1

Enables authenticated interaction with Slack for sending, editing, deleting, reacting to, and managing messages and pins via a secure bot token.

0· 646·0 current·0 all-time
by@rk905
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes precisely the Slack operations you'd expect for a 'Slack Actions' skill (sending/editing/deleting messages, reactions, pins, reading history, listing emojis, user lookups). However, the registry metadata claims no required environment variables or primary credential, while the runtime instructions explicitly require SLACK_BOT_TOKEN. That metadata–behavior mismatch is an incoherence (either the metadata is incomplete/incorrect or the skill author failed to declare a sensitive requirement).
Instruction Scope
The instructions in SKILL.md stay narrowly focused on Slack API actions and require only a Bot OAuth token and standard Slack scopes. The doc does not instruct the agent to read unrelated files, secrets, or system state. It also contains sensible behavioral rules (confirm IDs, avoid logging tokens).
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That is lower risk because nothing is downloaded or executed by default; however, actual runtime behavior depends on how the agent implements these instructions.
!
Credentials
The SKILL.md requires a single sensitive environment variable (SLACK_BOT_TOKEN) with broad workspace scopes, which is proportionate for Slack integration—but the registry metadata fails to declare this. The absence of a declared primary credential reduces transparency and prevents reviewers/automated systems from flagging sensitive requirements. Additionally, Bot tokens (xoxb-) can be powerful; ensure least-privilege scopes and use a dedicated bot account limited to necessary channels.
Persistence & Privilege
always is false and the skill does not request system-wide persistence or modification of other skills' configs. The skill will be able to be invoked autonomously by the agent (default), which is expected; combine this with a valid bot token and the agent could perform Slack actions, so token scope/limits are important.
What to consider before installing
Do not install blindfolded — ask the publisher for source code or a homepage and request corrected registry metadata that explicitly lists SLACK_BOT_TOKEN as a required credential. If you proceed, create a dedicated Slack bot with the minimum OAuth scopes listed in the SKILL.md, restrict the bot to only the channels it needs, and use a non-production workspace to test. Rotate the token after testing and never give a shared or user-level token. Prefer installing only after the author provides a verifiable implementation (repo or package) and the registry entry is updated to declare the sensitive environment variable; if you cannot verify the implementation, treat the undeclared sensitive requirement as a red flag.

Like a lobster shell, security has layers — review code before you run it.

latestvk979266vaa7wp1wpbeddnpbv01812ecv
646downloads
0stars
2versions
Updated 1mo ago
v0.1.1
MIT-0
@rk905
latest
Download

Slack Actions Skill

Overview

The Slack Actions Skill enables Clawdbot to securely interact with Slack channels and direct messages using a Bot OAuth token.

This skill allows agents to:

  • Send, edit, and delete messages
  • Add and list reactions
  • Pin and unpin messages
  • Read recent channel history
  • Retrieve member information
  • List workspace emojis

All actions are executed using the permissions granted to the configured bot account.

Purpose & Capability

This skill enables authenticated Slack operations using a Bot OAuth token supplied through the SLACK_BOT_TOKEN environment variable.

With valid credentials, the skill can:

  • Manage messages and reactions
  • Maintain pinned references
  • Retrieve basic user metadata
  • Support lightweight workflow automation

The skill operates strictly within the authorization scope of the configured Slack bot.

Authentication & Configuration

Required Environment Variable

This skill requires a Slack Bot User OAuth token.

Before use, configure:


SLACK_BOT_TOKEN

Example:

export SLACK_BOT_TOKEN="xoxb-xxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxxxx"

Or in .env format:

SLACK_BOT_TOKEN=xoxb-xxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxxxx

Token Requirements

The token must include the following OAuth scopes:

  • chat:write
  • channels:read
  • channels:history
  • reactions:write
  • pins:write
  • users:read
  • emoji:read

Additional scopes may be required depending on workspace policies.

Credential Storage

  • Tokens must be stored only in environment variables
  • Tokens must never be hardcoded
  • Tokens must never be logged
  • Tokens must not be exposed in outputs

If SLACK_BOT_TOKEN is missing, invalid, or revoked, this skill must not execute.

Initial Setup

To configure this skill:

  1. Create a Slack App in your workspace
  2. Enable Bot Token authentication
  3. Assign required OAuth scopes
  4. Install the app to the workspace
  5. Copy the Bot User OAuth token
  6. Store the token in SLACK_BOT_TOKEN
  7. Restart the agent

After setup, the skill becomes available for execution.

Credential Constraints

  • Only Bot User tokens (xoxb-) are supported
  • User tokens (xoxp-) are not permitted
  • Tokens must belong to a single workspace
  • Cross-workspace tokens are unsupported
  • Tokens must be rotated periodically
  • Tokens must comply with organizational security policies

Unauthorized credential usage is prohibited.

When to Use This Skill

Activate this skill when the user requests:

  • Sending messages to Slack
  • Reacting to messages
  • Editing or deleting content
  • Pinning or unpinning messages
  • Reading recent messages
  • Looking up users
  • Viewing emojis

Example triggers:

“Send this to #engineering.” “React with a checkmark.” “Pin that message.” “Who is U123?”

Required Inputs

Message Targeting

  • channelId — Slack channel ID (ex: C1234567890)
  • messageId — Slack timestamp (ex: 1712023032.1234)

Reactions

  • emoji — Unicode emoji or :name: format

Sending Messages

  • tochannel:<id> or user:<id>
  • content — Message text

Message context may contain reusable fields such as channel and slack message id.

Supported Action Groups

GroupStatusDescription
reactionsEnabledAdd and list reactions
messagesEnabledSend, edit, delete, read messages
pinsEnabledManage pinned items
memberInfoEnabledRetrieve user profiles
emojiListEnabledList custom emojis

Available Actions

React to a Message

{
  "action": "react",
  "channelId": "C123",
  "messageId": "1712023032.1234",
  "emoji": "✅"
}

List Reactions

{
  "action": "reactions",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

Send a Message

{
  "action": "sendMessage",
  "to": "channel:C123",
  "content": "Hello from Clawdbot"
}

Edit a Message

{
  "action": "editMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234",
  "content": "Updated text"
}

Delete a Message

{
  "action": "deleteMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

Read Recent Messages

{
  "action": "readMessages",
  "channelId": "C123",
  "limit": 20
}

Pin a Message

{
  "action": "pinMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

Unpin a Message

{
  "action": "unpinMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

List Pinned Items

{
  "action": "listPins",
  "channelId": "C123"
}

Get Member Information

{
  "action": "memberInfo",
  "userId": "U123"
}

List Workspace Emojis

{
  "action": "emojiList"
}

Behavioral Rules

  • Confirm IDs before destructive actions
  • Never delete messages without explicit user approval
  • Prefer reactions over messages for acknowledgments
  • Validate inputs before execution
  • Never expose credentials

Usage Examples

Mark Task Complete

{
  "action": "react",
  "channelId": "C123",
  "messageId": "1712023032.1234",
  "emoji": "✅"
}

Post Status Update

{
  "action": "sendMessage",
  "to": "channel:C456",
  "content": "Deployment completed successfully."
}

Save Important Message

{
  "action": "pinMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

Instruction Scope

This skill is limited to Slack workspace operations authorized by the configured bot token.

It does NOT:

  • Create Slack applications
  • Modify workspace settings
  • Manage billing
  • Bypass permissions
  • Escalate privileges

All operations respect Slack API constraints.

Compliance

This skill follows Slack API Terms of Service and OAuth security guidelines.

Users are responsible for obtaining organizational approval prior to deployment.

Best Practices

  • Use reactions for lightweight workflows
  • Pin long-term references
  • Keep messages concise
  • Avoid bulk destructive actions
  • Rotate credentials regularly

Comments

Loading comments...