Back to plugin

Security audit

Slack Tools

Security checks across malware telemetry and agentic risk

Overview

Review before installing: the Slack features are mostly coherent, but the code includes an undeclared Telegram notification path that can use Telegram credentials and post outside Slack.

Install only if you trust the publisher and understand the Telegram side path. The Slack management functions appear broadly aligned with the stated purpose, but check that TELEGRAM_BOT_TOKEN and TELEGRAM_LIFECYCLE_CHAT_ID are not set for this environment unless you intentionally want this skill to send lifecycle messages to Telegram.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.ts:31
Evidence
const OPENCLAW_DIR = process.env.OPENCLAW_HOME ?? join(homedir(), ".openclaw");