ClawHub

Slack Messaging

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Slack API helper skill; it uses a Slack token for expected messaging, channel, file, reaction, and user lookup actions, with no hidden code or persistence.

Install only if you are comfortable giving the agent access to a Slack token. Use a low-privilege bot token limited to the scopes and channels needed, confirm channel IDs and recipients before write actions, and avoid posting secrets, customer data, private logs, or sensitive incident details unless your workspace policy allows it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents read access to channel history and user directory data but does not warn that these operations expose potentially sensitive workspace information, including private channel metadata, message content, and employee identifiers. In an agent setting, this omission can lead to overbroad use of the skill without informed consent, data-minimization controls, or approval boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides examples for posting messages, creating channels, and uploading or sharing files, but it does not warn that these are state-changing actions that can affect workspace communications, visibility, and data distribution. Without guardrails, an agent could spam channels, create misleading incident spaces, or distribute files/links to unintended audiences.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal