ClawHub

Slack Assistant

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Slack assistant, but it needs review because it has broad Slack authority and unsafe handling of Slack/user text in executable Python snippets.

Install only if you can grant a dedicated, least-privilege Slack app and are comfortable with optional AI commands sending Slack content to EvoLink. Avoid AI commands on untrusted or highly sensitive Slack channels until the unsafe python3 -c interpolation is fixed, and require explicit human confirmation before posting, uploading, inviting users, reacting, or archiving channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script hard-codes an extremely broad Slack scope set, including write, history, management, search, and email-read permissions, even though an authentication helper only needs the minimum scopes required for the actual installed app. If a token obtained through this helper is stolen or misused, the blast radius is much larger than necessary: it can read conversations, write messages, manage channels, and access user email data across a workspace.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes broad Slack read/write/search/history capabilities and optional AI summarization/drafting, but it does not warn that enabling these features can expose sensitive workspace data to the skill and potentially to a third-party AI provider via EVOLINK_API_KEY-backed features. In a workplace chat context, channels, DMs, files, and search results often contain confidential business, employee, or customer information, so the absence of privacy, consent, retention, and least-privilege guidance materially increases risk.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The invocation guidance uses broad requests like reading channels, searching conversations, summarizing messages, and managing workspaces without explicit scope limits, approval steps, or exclusions for sensitive channels and direct messages. In a Slack integration, ambiguous natural-language triggers can cause overbroad data retrieval or workspace-modifying actions beyond what the user specifically intended.

Missing User Warnings

High
Confidence
98% confidence
Finding
The AI helper sends Slack conversation content to a third-party service (api.evolink.ai) without any execution-time consent, warning, redaction, or policy gate. Because Slack messages commonly contain internal business data, credentials, customer information, or sensitive discussions, this creates a real confidentiality and compliance risk rather than a mere usability issue.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The archive command performs a destructive workspace action immediately with no confirmation prompt, dry-run, or safeguard. In an agentic or automated context, a mistaken parameter or prompt injection into upstream tooling could archive the wrong channel and disrupt collaboration.

Ssd 3

High
Confidence
99% confidence
Finding
The evolink_ai function is a general external data export primitive for AI features: it packages prompt plus Slack-derived content and posts it to a third-party endpoint. Because this helper underpins summarization, reply drafting, and prioritization, it centralizes a broad risk of confidential workspace data leaving Slack without controls.

Ssd 3

High
Confidence
98% confidence
Finding
The channel summarization feature exports recent channel messages, participant identifiers, timestamps, and thread/reply context to an external LLM. This broad disclosure can expose sensitive operational, legal, HR, customer, or security discussions to a third party, especially when run on private channels.

Ssd 3

High
Confidence
98% confidence
Finding
The AI reply feature sends the entire thread content to an external model to draft a response. Threads often contain concentrated sensitive context, and exporting the full conversation exceeds what may be necessary for drafting, creating unnecessary disclosure risk.

Ssd 3

High
Confidence
97% confidence
Finding
The prioritization feature exports recent messages plus engagement metadata such as reactions and reply counts to an external AI service. Even if intended for triage, this still discloses conversation content and social/organizational signals that may be sensitive in enterprise environments.

External Transmission

Medium
Category
Data Exfiltration
Content
"

  local response
  response=$(curl -s -X POST "$EVOLINK_API" \
    -H "Authorization: Bearer $api_key" \
    -H "Content-Type: application/json" \
    -d "@$tmpfile")
Confidence
98% confidence
Finding
curl -s -X POST "$EVOLINK_API" \ -H "Authorization: Bearer $api_key" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal