ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slack Assistant

v1.0.0

Slack API integration with smart AI features — send messages, read channels, search conversations, and manage workspaces with Claude-powered summarization an...

0· 29·0 current·0 all-time
by@evolinkai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts and SKILL.md implement a Slack integration plus optional EvoLink AI calls — those requirements (Slack bot token / client_id/client_secret and optional EVOLINK_API_KEY) are coherent with the skill's stated purpose. However the registry metadata at the top claims no required binaries or env vars while the bundle (SKILL.md and _meta.json) requires python3 and curl and expects ~/.slack-skill/credentials.json/token.json. This mismatch is unexpected and should be corrected by the publisher.
Instruction Scope
Runtime instructions and scripts limit network calls to Slack (api.slack.com / slack.com) and, optionally, api.evolink.ai when EVOLINK_API_KEY is set. The OAuth flow listens on localhost to capture codes and stores tokens under ~/.slack-skill; commands only reference Slack/EvoLink endpoints. No other system paths, unexpected external endpoints, or broad data collection are present in the scripts.
Install Mechanism
There is no automated install step that downloads or executes remote code; the package is instruction- and script-based. No external archive downloads or obscure URLs are used by the code. The README suggests optional npx installation names but the provided scripts are local and self-contained.
!
Credentials
The skill legitimately requires Slack credentials (bot token, and optionally client_id/client_secret) and optionally EVOLINK_API_KEY for AI features. Those credentials are stored in ~/.slack-skill/credentials.json and token.json. The registry claims 'Required env vars: none' and 'Primary credential: none', which contradicts the actual need for Slack tokens/files and the declared required binaries (python3, curl). The mismatch could lead to users missing critical setup steps or assuming no secrets are needed.
Persistence & Privilege
The skill stores OAuth tokens under ~/.slack-skill with directory mode 700 and files mode 600 per the scripts — this is scoped to the user and typical for this kind of tool. always:false (not force-included). The skill does not request elevated system privileges or modify other skills' configs.
What to consider before installing
This skill's behavior is mostly coherent with a Slack integration that optionally uses EvoLink's AI API, but the registry metadata is incomplete: it does require python3 and curl and you must supply Slack credentials (bot token or client_id/client_secret) and optionally EVOLINK_API_KEY. Before installing, verify the GitHub repo and publisher (the SKILL.md and README reference EvoLinkAI and a GitHub link), and inspect the provided scripts yourself. If you enable AI features (set EVOLINK_API_KEY), understand that message content, sender names, and channel info will be sent to api.evolink.ai. Only populate credentials you trust the code to use, and consider creating and installing a Slack app with minimal scopes for this purpose and running the OAuth flow on a machine you control. Finally, ask the publisher to fix the registry metadata so required binaries and credential expectations are explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk976a5g0c513n5nxcwhqnwb0qn844dzq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments