ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slack Member Fetch

v1.0.0

Fetch Slack member information from a workspace or a specific Slack channel using the Slack Web API. Use when the user asks to list Slack members, get member...

0· 45·0 current·0 all-time
by@donigwapo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md implement workspace- and channel-level member listing via the Slack Web API, which matches the skill name/description. However the registry metadata reports "Required env vars: none" and no primary credential, while the SKILL.md and script clearly require SLACK_BOT_TOKEN — a manifest inconsistency.
Instruction Scope
Runtime instructions and the script only call Slack API endpoints (users.list, conversations.list, conversations.members), paginate results, optionally write JSON to a local file, and print output. There are no references to unrelated files, system secrets, or external endpoints beyond slack.com.
Install Mechanism
No install spec — this is instruction + a small Python script. Nothing is downloaded or written by an installer step.
!
Credentials
The script legitimately needs a Slack token (SLACK_BOT_TOKEN) and recommends specific Slack scopes. The concern is that the skill registry metadata does not declare this required environment variable or a primary credential, which is misleading and could cause accidental token exposure or misconfiguration. Also the output includes potentially sensitive user emails and profile data, so token scope should be limited and users should be aware of data sensitivity.
Persistence & Privilege
always is false and the skill does not attempt to persist itself, modify other skills, or change system-wide agent settings.
What to consider before installing
This skill's code matches its described purpose, but the registry metadata omitted the required SLACK_BOT_TOKEN — treat that as a red flag about provenance/quality. Before installing or running: (1) Verify you trust the source/owner (no homepage provided). (2) Only provide a bot token (xoxb...) with the minimum scopes needed (users:read, conversations:read; avoid broader scopes). (3) Be aware the output can include emails and profile fields; do not run in environments where those may be exposed. (4) Review the included script yourself (it calls only slack.com APIs and can write results to a local file). (5) Ask the publisher to update the skill manifest to declare SLACK_BOT_TOKEN as a required credential/primaryEnv so the platform can protect it properly.

Like a lobster shell, security has layers — review code before you run it.

channelvk97ea87amphh13mwcwwasw68ss83qdcrexportvk97ea87amphh13mwcwwasw68ss83qdcrlatestvk97ea87amphh13mwcwwasw68ss83qdcrmembersvk97ea87amphh13mwcwwasw68ss83qdcrslackvk97ea87amphh13mwcwwasw68ss83qdcrworkspacevk97ea87amphh13mwcwwasw68ss83qdcr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments