Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Slack Controller
v1.0.0Control Slack via Browser Automation to send messages, manage huddles, screen share, set status, and react as the logged-in user.
⭐ 0· 412·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md says the skill automates the Slack web/desktop client as the logged-in user (reasonable for UI automation). However the README/CLI examples call out a local Node binary at ~/.cursor/skills/slack-controller/dist/index.js and skill.yaml declares permissions (network, command_execution) and an optional slack_bot_token. There is no install spec or code files in the package. This is internally inconsistent: a consumer cannot actually run the referenced binary as-distributed, and the declared permissions (network/command_execution) are not explained in the SKILL.md.
Instruction Scope
The instructions explicitly direct the agent to control the Slack UI, send messages, join/leave huddles, set status, perform searches, and upload local files. That implicitly grants access to the user's Slack session and any data visible in the UI. The uploadFile action takes an absolute filePath (arbitrary local-file access). Requiring Screen Recording and Accessibility on macOS is expected for UI automation, but also gives broad visibility/control. The SKILL.md does not limit what local data may be read or transmitted.
Install Mechanism
There is no install spec and there are no code files, yet CLI usage examples reference a Node script under the user's ~/.cursor path and skill.yaml implies a distributed implementation. That mismatch is a red flag: either required code is missing from the package (broken/unfinished) or the skill expects out-of-band installation from an unvetted source. Instruction-only skills are lowest risk when self-contained; this one is not self-contained.
Credentials
The registry metadata declares no required env vars, but skill.yaml exposes an optional slack_bot_token and requests network and command_execution permissions. An optional bot token is plausible as a fallback, but SKILL.md never documents using it. Network and command_execution permissions broaden the attack surface (they would allow arbitrary remote comms and running commands) and are not justified clearly by the browser-automation description.
Persistence & Privilege
always:false (normal). The skill explicitly asks the user to grant macOS Accessibility and Screen Recording and to create/use an automation browser profile; those OS-level permissions are necessary for UI automation but are sensitive because they enable observing and controlling the screen and UI. The package itself does not request persistent installation metadata, but the workflow would create persistent local profiles/cookies that the automation would reuse.
What to consider before installing
This package is inconsistent and worth caution. Before installing or running anything: 1) Ask the publisher for the source repository and a reproducible install script — do not run the CLI examples that reference ~/.cursor/skills/.../dist/index.js because that file is not present. 2) Do not grant Accessibility or Screen Recording until you can audit the code that will exercise those permissions. UI automation can read and type everything you see; the uploadFile action can read any local path you give it. 3) If you only need to send programmatic Slack messages, prefer using a scoped Slack bot token (least privilege) via the official API rather than full-session UI automation. 4) If you decide to proceed, require the skill author to provide: full source code, a trustworthy install host (no private short URLs), a clear explanation of why network/command_execution are required, and a reproducible audit showing no data exfiltration. 5) If you cannot obtain this, treat the skill as untrusted and do not grant OS-level automation permissions or run any referenced binaries.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5bw3znmh9r0set2c4cawwd81vj3j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.