Slack (Socket Mode)

Security checks across malware telemetry and agentic risk

Overview

This Slack skill is transparent about using a bot to control Slack, but it gives broad message-changing and profile-reading powers without enough safety limits.

Install only with a Slack bot token limited to the channels and scopes you actually need. Require explicit approval before sending, editing, deleting, pinning, unpinning, downloading files, or retrieving member profile details, and avoid open-ended channel monitoring unless that is clearly intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly documents destructive Slack operations such as edit, delete, pin, and unpin as normal actions without any guardrails, confirmation requirements, or warning about altering user-visible records. In an agent context, this increases the chance of unintended tampering with communications, evidence, or channel state, especially if an upstream prompt induces the agent to act on untrusted instructions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill advertises member-info retrieval returning email, avatar URLs, timezone, and profile status without any privacy caveat or purpose limitation. In an agent environment, this can enable unnecessary collection or disclosure of personal data, especially when the agent is prompted to enumerate or enrich user identities beyond the minimum needed task scope.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal