Back to skill
Skillv1.0.0
ClawScan security
slack-block-kit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 12:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it generates Slack Block Kit table JSON and the code only formats JSON; posting to Slack requires a normal Slack bot token which the SKILL.md references but is not embedded in the code.
- Guidance
- This skill is a simple JSON formatter for Slack Block Kit tables. Before installing/using: (1) confirm you trust the unknown publisher (homepage not provided); (2) run the included scripts locally to verify output; (3) know that to actually post messages you'll need a Slack bot token (examples use $SLACK_BOT_TOKEN) and channel/thread IDs — supply them securely and give the token the minimum scopes needed; (4) ensure your runtime has node (to run scripts), plus curl and jq if you follow the posting examples; and (5) monitor logs to avoid accidentally leaking the token in command-history or shared output.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the included code: scripts/table.mjs builds Slack Block Kit table JSON. Minor mismatch: the SKILL.md examples assume availability of node, curl, and jq and reference a Slack bot token, but the skill metadata lists no required env vars or binaries. Those runtime tools/vars are typical for usage but were not declared in requires.*.
- Instruction Scope
- okSKILL.md limits instructions to generating table JSON and showing how to POST it to Slack. It does not instruct the agent to read arbitrary system files or exfiltrate data. It does reference the platform config location (openclaw.json) as where a Slack bot token may be stored, but it does not include commands to read that file automatically.
- Install Mechanism
- okNo install spec (instruction-only plus a small script). The included script is pure node code that formats JSON and writes to stdout; nothing is downloaded or written to disk by an installer.
- Credentials
- noteThe skill appropriately requires a Slack bot token to post messages; examples use $SLACK_BOT_TOKEN, $CHANNEL_ID, and $THREAD_TS. The skill did not declare required env vars in metadata, so users should be aware they must provide these at runtime. Ensure the token used has least-privilege (chat:write or minimal scopes).
- Persistence & Privilege
- okalways is false and the skill has no install steps that change agent config. It does not request persistent presence or elevated platform privileges.