ClawHub

Agent Slack

Security checks across malware telemetry and agentic risk

Overview

This Slack skill is functional and mostly disclosed, but it uses broad desktop-session credential extraction and persistent local storage that users should review carefully before installing.

Install only if you are comfortable giving this tool Slack access equivalent to your logged-in desktop session across all extracted workspaces. Review the external npm package before use, avoid granting Full Disk Access unless necessary, confirm before message delete/upload/broadcast actions, and protect or delete the credentials, memory, and snapshot files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (20)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The manifest presents the skill as limited to messaging, reading channels, and reactions, but the documented capabilities are materially broader: full workspace snapshots, enumeration of users/channels, activity retrieval, file operations, and local credential/state handling. This mismatch can cause users or higher-level policy systems to authorize the skill under a narrower trust assumption than its real data-access scope.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill description omits file-management features even though the documentation includes file upload and file listing/info operations. Undisclosed file capabilities increase risk because users may not realize the tool can exfiltrate local files into Slack or enumerate workspace file metadata.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest understates broader account and workspace-state capabilities such as workspace switching/removal, auth status, and multi-workspace enumeration. Under-disclosure is dangerous because it obscures the breadth of account context the skill can inspect and manipulate.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatic extraction and storage of Slack desktop tokens/cookies is a highly sensitive credential-access capability. Even if intended for convenience, accessing reusable auth material from local app storage creates significant account-compromise and privacy risk if the tool, logs, or downstream agent behavior are abused.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation explicitly instructs users to extract Slack desktop session credentials, including xoxc tokens and xoxd cookies, from local application storage and persist them for later use. That materially expands the skill from ordinary Slack interaction into credential harvesting and session replication, which is highly sensitive and exceeds the stated purpose of simple workspace messaging and reactions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section describes reading Slack desktop LevelDB storage, decrypting cookies via macOS Keychain, and extracting credentials for all logged-in workspaces. Those are classic credential-access behaviors that enable impersonation of the user across multiple Slack workspaces and create a powerful post-compromise persistence mechanism.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script invokes `agent-slack snapshot`, which appears to retrieve a broad workspace snapshot including channels, users, and recent messages, then uses that data for reporting. This exceeds the narrowly described messaging/read/reaction capability and increases the amount of sensitive Slack data collected in one operation, creating unnecessary exposure if the script is run in a sensitive workspace.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script writes the entire Slack snapshot to a timestamped JSON file on local disk, which may include user identifiers, private channel metadata, and message content. Persisting the full dataset creates a durable copy of potentially sensitive workspace information that can later be accessed, copied, or leaked beyond the original interactive use.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Telling agents to run 'any command' to trigger authentication creates an overly broad activation path for sensitive credential extraction. This increases the chance of accidental auth access during benign operations and undermines least privilege and informed consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation normalizes silent background extraction of Slack credentials without adequate up-front privacy and security disclosure. In the context of an agent skill, hidden credential access is especially dangerous because the user may believe they are only reading or sending messages, not granting token/cookie harvesting from local app storage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Quick Start encourages immediate data access actions like snapshotting the workspace and sending messages before clearly warning about automatic credential extraction and broad workspace access. This sequencing weakens informed consent and makes accidental sensitive access more likely.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guide opens by normalizing extraction of Slack web credentials from the desktop app without an up-front warning that this grants full account-equivalent access and copies sensitive session material to another local file. That omission increases the likelihood that users will authorize risky behavior without understanding the consequences.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The monitoring example retrieves Slack messages and echoes user IDs and message text directly to stdout without any warning or safeguards around sensitive content. In agent and CI environments, stdout is often logged centrally, which can unintentionally exfiltrate private conversations, secrets, or personal data beyond Slack's intended audience.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The snapshot example pulls broad workspace data, enumerates users and channels, and prints recent message content without caution about access scope or data sensitivity. In a real workspace, this can expose large amounts of internal metadata and communications to logs or downstream systems, increasing privacy, compliance, and reconnaissance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently persists Slack workspace data locally without requiring confirmation or giving an upfront warning that sensitive data will be stored. Users may reasonably expect a summary command to be read-only/output-only, so hidden local persistence increases the risk of accidental data retention and compliance issues.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill instructs persistent cross-session storage of workspace IDs, channel/user IDs, aliases, thread timestamps, and user preferences in a natural-language file. Even without tokens, this creates a durable metadata cache that can leak organizational structure, personal associations, and activity context to later tasks or unintended readers.

Ssd 3

Medium
Confidence
98% confidence
Finding
The saved snapshot contains more data than necessary for a workspace summary, including user and message data, and it is stored without redaction or minimization. Retaining full raw records amplifies the consequences of local compromise, inadvertent sharing, or backup/sync exposure, especially in Slack environments that may contain internal or confidential communications.

Credential Access

High
Category
Privilege Escalation
Content
Credentials are extracted automatically from the Slack desktop app on first use. No manual setup required — just run any command and authentication happens silently in the background.

On macOS, the system may prompt for your Keychain password the first time (required to decrypt Slack's stored token). This is a one-time prompt.

**IMPORTANT**: NEVER guide the user to open a web browser, use DevTools, or manually copy tokens from a browser. Always use `agent-slack auth extract` to obtain tokens from the desktop app.
Confidence
98% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
Common causes:
- Slack desktop app is not installed or not logged in
- macOS Keychain access was denied (re-run and approve the prompt)
- Slack was installed via a method that uses a different storage path

### `agent-slack: command not found`
Confidence
95% confidence
Finding
Keychain

Session Persistence

Medium
Category
Rogue Agent
Content
## Memory

The agent maintains a `~/.config/agent-messenger/MEMORY.md` file as persistent memory across sessions. This is agent-managed — the CLI does not read or write this file. Use the `Read` and `Write` tools to manage your memory file.

### Reading Memory
Confidence
88% confidence
Finding
write this file. Use the `Read` and `Write` tools to manage your memory file. ### Reading Memory At the **start of every task**, read `~/.config/agent-messenger/MEMORY.md` using the `Read` tool to l

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal