Skillv1.0.0

ClawScan security

Slack Thread Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 1:03 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is plausible for reading Slack but it quietly expects a Slack bot token in ~/.openclaw/openclaw.json and writes a local user cache while the manifest declares no credentials or config paths — these mismatches warrant caution.
Guidance: This skill will call the Slack API and requires a Slack bot token, but the registry metadata does not declare any required credentials or config paths. Before installing: (1) Inspect ~/.openclaw/openclaw.json to see whether it already holds other secrets and to confirm the skill only reads channels.slack.botToken; (2) Provide a dedicated bot token with the minimum necessary scopes (e.g., channels.history, conversations.replies, users:read) rather than a user token or a token with wide scopes; (3) Note the skill writes a cache to ~/.cache/slack-reader/users.json — consider file permissions or running in an isolated environment; (4) If you cannot verify the source, do not install system-wide; instead run the scripts in a sandbox or review the full code to ensure no hidden endpoints are contacted. The main red flag is the undocumented config file usage — ask the publisher to document credential setup or update the manifest to declare the required config/credential.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (read/summarize Slack threads) legitimately requires access to the Slack Web API. The code fetches a Slack bot token from ~/.openclaw/openclaw.json (channels.slack.botToken). However, the registry metadata declares no required env vars or config paths. This is an incoherence: a Slack-integration skill should declare its credential requirement.
Instruction Scope: concernSKILL.md describes how to invoke the scripts but does not document the need to supply a bot token or the specific config file path. The runtime code reads ~/.openclaw/openclaw.json and writes a cache at ~/.cache/slack-reader/users.json. The instructions give the agent broad discretion (e.g., fetching full channel history and thread replies) but omit the credential/config requirements and where data is persisted.
Install Mechanism: okThere is no install spec (instruction-only), and included scripts are plain Python/Bash. No external installers or downloads are used. Risk from install mechanism is low.
Credentials: concernThe code requires a Slack bot token stored in a local config file, which is reasonable for the functionality, but the manifest did not declare this credential or config path. The skill will fail (and exit) if the config file is missing or malformed. It also creates/updates a local cache at ~/.cache/slack-reader/users.json. Because required credentials are not declared, users may unknowingly provide a token with broader scopes or reuse a shared config containing other secrets.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It persists only a local user-name cache and reads a local config file; this is within reasonable scope for a client tool but should be documented.