ClawHub

Slack Print

Security checks across malware telemetry and agentic risk

Overview

This Slack printing skill mostly matches its stated purpose, but it gives the agent broad printer-control powers and can print Slack downloads without an explicit safety check.

Review this skill before installing, especially in shared printer or Slack environments. Use it only when you are comfortable granting an agent access to fetch Slack files and send them to a named printer, and avoid using the bulk cancel command unless you intentionally want to clear that printer's queue. Confirm the target file, printer, and file count before printing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is scoped as printing files uploaded to Slack, but the documentation also enables arbitrary text printing and general printer administration commands. This expands the agent's operational scope beyond the declared purpose and can be abused to print attacker-controlled content or manipulate local printing infrastructure without a Slack-file context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Documenting `cancel -a <PrinterName>` gives the agent an unjustified destructive capability for all jobs on a printer, which is unrelated to the stated task of printing Slack-uploaded files. An invoked agent could disrupt legitimate print workflows or cause denial of service against shared printers if this behavior is used without strict authorization and confirmation.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The skill's strict rules say not to create or modify files, yet the documented multi-line printing example writes to `/tmp/openclaw_print.txt`. This inconsistency can undermine safety constraints and normalize file creation behavior, making it easier for an agent to justify broader filesystem writes than intended.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The manifest uses broad trigger phrases like 'print the file from Slack' and 'print the Slack file,' which can cause the skill to activate in ambiguous situations without enough specificity about file selection, printer choice, or confirmation. In an agent setting, over-broad invocation increases the chance of unintended printing of sensitive documents or acting on the wrong Slack file.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown includes destructive print-job cancellation guidance without any warning, scoping, or confirmation flow. In a shared environment, this can let an agent terminate unrelated users' print jobs, causing operational disruption and violating least-privilege expectations for a Slack printing skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script automatically downloads files from Slack and immediately submits them to a printer, creating a real side effect on the host environment without any confirmation, preview, or safety gate. In an agent-driven context, ambiguous user intent, Slack channel noise, or maliciously uploaded files could cause unintended printing of sensitive, offensive, or costly documents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal