ClawHub

Agent Slackbot

Security checks across malware telemetry and agentic risk

Overview

This Slack bot skill is mostly coherent, but it gives an agent broad Slack read/write access and persists sensitive tokens and workspace metadata locally, so it needs careful review before use.

Install only if you trust the external agent-messenger package and are comfortable giving an agent Slack bot access. Create a dedicated Slack app, grant only the scopes needed for your workflow, avoid private-channel and user-email scopes unless necessary, prefer environment variables or a secret manager over saved plaintext credentials when possible, and periodically clear or review both the credential file and MEMORY.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill explicitly instructs persistent storage of workspace IDs, channel IDs, user IDs, aliases, and user preferences across sessions without a clear consent, retention, or privacy notice. Even though it says not to store tokens or message bodies, this still creates a durable metadata trail that can expose organizational structure and user identity information to future tasks or unrelated contexts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs users to store a live Slack bot token in a plaintext JSON file on disk. Although it mentions 0600 permissions and briefly notes the file grants access, bot tokens are sensitive credentials and storing them unencrypted increases exposure to local compromise, backups, log collection, accidental disclosure, and malware on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented polling pattern reads channel messages and echoes message text to stdout, then conditionally responds, but it provides no privacy warning, consent guidance, or restrictions on where this should be used. In a Slack bot skill, this normalizes passive monitoring of user communications and secondary logging of message contents, which can expose sensitive data in terminal logs, CI logs, or agent traces.

Ssd 3

Medium
Confidence
90% confidence
Finding
The memory section directs the agent to read and write cross-session natural-language memory containing discovered workspace, user, and channel data. This creates a real data retention and cross-context leakage risk because later tasks may inherit information unrelated to the current user request, and the freeform Markdown format makes over-collection likely.

Credential Access

High
Category
Privilege Escalation
Content
2. Calls `auth.test` to verify the token against Slack API
3. Stores the bot under the workspace with its bot ID and name
4. Sets this bot as the current active bot
5. Saves credentials to `~/.config/agent-messenger/slackbot-credentials.json`

## Credential Storage
Confidence
95% confidence
Finding
credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal