Skillv1.10.5

ClawScan security

Agent Slack · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 3:40 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (automatic extraction and local storage of Slack tokens, mandatory reading/writing of a persistent memory file, and lack of a traced upstream source) is coherent with a Slack CLI but raises security and provenance concerns that are not fully declared in the registry metadata.
Guidance: This skill will automatically extract Slack session tokens from your local Slack desktop app and store them at ~/.config/agent-messenger/slack-credentials.json (plaintext, owner-only permissions). It also instructs the agent to read and overwrite a persistent memory file (~/.config/agent-messenger/MEMORY.md) at the start of every task. Before installing: - Verify provenance: the registry lists 'Source: unknown' and no homepage — review the npm package (agent-messenger) source code and publisher before installing. If you can't find a trusted upstream, don't install. - Understand credential risk: extracted tokens grant the same access you have in Slack. If you run this on a machine with workspaces you care about, consider using a least-privilege approach (e.g., bot tokens scoped to a single workspace/channel) instead of your personal session tokens. - Inspect local file effects: expect ~/.config/agent-messenger/slack-credentials.json and MEMORY.md to be created. Back up any important data and review these files after first run. Consider restricting file permissions and removing stored credentials when not needed. - Review runtime behavior: the agent is instructed to read MEMORY.md at every task start. That means the model will routinely receive persistent local context — be cautious about what you allow it to store there. - Audit the package: run 'npm view agent-messenger' and inspect the package contents or clone the repository before installing. If you cannot validate the publisher and code, treat this as high-risk and avoid installing. Because of the mismatches (undisclosed filesystem access and stored tokens, missing upstream provenance, and contradictory guidance about storing tokens), treat this skill as suspicious and verify code and publisher trustworthiness before use.

Review Dimensions

Purpose & Capability: noteThe name/description (Slack integration) match the code and instructions: the CLI extracts Slack tokens, lists channels, sends messages, etc. Extracting tokens from the Slack desktop app is a legitimate way for a CLI to authenticate. However the registry metadata does not declare the config paths or files the skill will read/write (it lists none), while the implementation accesses Slack app directories and writes ~/.config/agent-messenger/slack-credentials.json and MEMORY.md — this mismatch should be disclosed to users.
Instruction Scope: concernSKILL.md instructs the agent to always read ~/.config/agent-messenger/MEMORY.md at the start of every task and to write the complete file when updating memory. That grants the agent routine access to persistent local state. The tool itself also performs automatic token extraction by reading Slack desktop app storage and (on macOS) decrypting cookies via Keychain. The instructions assert 'do not store tokens' but the reference docs show tokens are stored in plaintext under ~/.config/agent-messenger/slack-credentials.json — a direct contradiction and a clear scope/privacy concern.
Install Mechanism: noteInstall uses a Node package (kind: node, package: agent-messenger) which provides the agent-slack binary. This is a typical install mechanism (moderate risk compared to direct downloads). However the package source is 'unknown' and there is no homepage listed in the registry metadata — you cannot verify the upstream project or review the published package before installing without additional effort.
Credentials: concernThe skill declares no required env vars or config paths, yet the implementation reads Slack desktop app data directories and writes credentials to ~/.config/agent-messenger/slack-credentials.json (tokens stored plaintext with 0600 permissions). That local file contains full workspace tokens/cookies granting the same access as the desktop app — this is sensitive but not reflected in the declared requirements. The memory file policy (what to store / not store) in SKILL.md conflicts with actual credential storage described in references.
Persistence & Privilege: noteThe skill persists credentials and snapshots under ~/.config/agent-messenger and instructs the agent to read/write a persistent MEMORY.md on every task. It does not set always:true and does not modify other skills. Persistent storage of tokens combined with autonomous invocation (default platform behavior) increases risk in practice — consider that an LLM with this skill could be able to use stored tokens if the skill is invoked.