ClawHub

Slack Thread Reader

v1.0.0

Read and summarize Slack channel history and thread conversations. Use when receiving Slack links (https://...slack.com/archives/...) or requests to view cha...

0· 218·0 current·0 all-time
by@epikoding
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (read/summarize Slack threads) legitimately requires access to the Slack Web API. The code fetches a Slack bot token from ~/.openclaw/openclaw.json (channels.slack.botToken). However, the registry metadata declares no required env vars or config paths. This is an incoherence: a Slack-integration skill should declare its credential requirement.
!
Instruction Scope
SKILL.md describes how to invoke the scripts but does not document the need to supply a bot token or the specific config file path. The runtime code reads ~/.openclaw/openclaw.json and writes a cache at ~/.cache/slack-reader/users.json. The instructions give the agent broad discretion (e.g., fetching full channel history and thread replies) but omit the credential/config requirements and where data is persisted.
Install Mechanism
There is no install spec (instruction-only), and included scripts are plain Python/Bash. No external installers or downloads are used. Risk from install mechanism is low.
!
Credentials
The code requires a Slack bot token stored in a local config file, which is reasonable for the functionality, but the manifest did not declare this credential or config path. The skill will fail (and exit) if the config file is missing or malformed. It also creates/updates a local cache at ~/.cache/slack-reader/users.json. Because required credentials are not declared, users may unknowingly provide a token with broader scopes or reuse a shared config containing other secrets.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It persists only a local user-name cache and reads a local config file; this is within reasonable scope for a client tool but should be documented.
What to consider before installing
This skill will call the Slack API and requires a Slack bot token, but the registry metadata does not declare any required credentials or config paths. Before installing: (1) Inspect ~/.openclaw/openclaw.json to see whether it already holds other secrets and to confirm the skill only reads channels.slack.botToken; (2) Provide a dedicated bot token with the minimum necessary scopes (e.g., channels.history, conversations.replies, users:read) rather than a user token or a token with wide scopes; (3) Note the skill writes a cache to ~/.cache/slack-reader/users.json — consider file permissions or running in an isolated environment; (4) If you cannot verify the source, do not install system-wide; instead run the scripts in a sandbox or review the full code to ensure no hidden endpoints are contacted. The main red flag is the undocumented config file usage — ask the publisher to document credential setup or update the manifest to declare the required config/credential.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f87kstpbp5vm3knfwk4zp3h82b4db

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments