Slack Hub Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Slack skill mostly matches its purpose, but it under-declares Slack credential use and its channel-listing code requests private channels despite advertising public-channel listing.
Only install this if you are comfortable giving it a Slack bot token. Use the narrowest Slack scopes possible, verify that channel listing is restricted to the channels you intend, and require human confirmation before the bot posts messages.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users relying on registry metadata may not realize the skill needs a Slack token that can act in their workspace.
The registry credential contract omits Slack credentials even though SKILL.md requires SLACK_BOT_TOKEN and the code reads it. A Slack bot token is expected for this purpose, but it is sensitive account authority.
Required env vars: none ... Env var declarations: none ... Primary credential: none
Declare SLACK_BOT_TOKEN and the required Slack scopes in metadata, and use a least-privilege Slack app token.
The agent may expose private channel metadata visible to the bot when the user expected only public channel listing.
The documented tool says it lists public channels, but the implementation also requests private_channel data from Slack.
hub._call("conversations.list", {"types": "public_channel,private_channel"})Restrict the list action to public_channel unless private channel access is explicitly disclosed, scoped, and approved.
If invoked with the wrong target or text, the bot could post unintended messages to Slack channels or users.
Posting Slack messages is the core purpose of the skill, but it is a mutating action performed under the bot identity.
return self._call("chat.postMessage", data)Require explicit user confirmation of the destination and message content before sending Slack messages.
Search results may reveal workspace content to the agent, and message text should not be treated as authoritative instructions.
Slack search results are returned into the agent/output context. This is purpose-aligned, but workspace messages can be sensitive or contain untrusted instructions.
response = requests.get(f"{self.base_url}/search.messages", headers=headers, params=params)
return response.json()Limit token scopes and search usage, and treat Slack search results as untrusted content unless the user asks otherwise.
A future install may resolve a different requests version than the one the author tested.
The package dependency is declared without a pinned version. This is common for simple integrations, but it reduces reproducibility and supply-chain reviewability.
"dependencies": ["requests"]
Pin dependency versions or provide a lockfile for reproducible installation.