Slack Hub Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: slack-hub-skill Version: 0.1.0 The OpenClaw skill bundle for Slack integration is classified as benign. All files, including `SKILL.md`, `slack_hub.py`, and `skill.json`, align with the stated purpose of providing Slack messaging and search capabilities. The `slack_hub.py` script correctly retrieves the `SLACK_BOT_TOKEN` from environment variables and makes network requests exclusively to the official Slack API (https://slack.com/api). The `skill.json` file explicitly declares the necessary 'network' and 'env_vars' permissions, which are justified by the code's functionality. There is no evidence of prompt injection attempts in `SKILL.md`, unauthorized data exfiltration, malicious execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users relying on registry metadata may not realize the skill needs a Slack token that can act in their workspace.
The registry credential contract omits Slack credentials even though SKILL.md requires SLACK_BOT_TOKEN and the code reads it. A Slack bot token is expected for this purpose, but it is sensitive account authority.
Required env vars: none ... Env var declarations: none ... Primary credential: none
Declare SLACK_BOT_TOKEN and the required Slack scopes in metadata, and use a least-privilege Slack app token.
The agent may expose private channel metadata visible to the bot when the user expected only public channel listing.
The documented tool says it lists public channels, but the implementation also requests private_channel data from Slack.
hub._call("conversations.list", {"types": "public_channel,private_channel"})Restrict the list action to public_channel unless private channel access is explicitly disclosed, scoped, and approved.
If invoked with the wrong target or text, the bot could post unintended messages to Slack channels or users.
Posting Slack messages is the core purpose of the skill, but it is a mutating action performed under the bot identity.
return self._call("chat.postMessage", data)Require explicit user confirmation of the destination and message content before sending Slack messages.
Search results may reveal workspace content to the agent, and message text should not be treated as authoritative instructions.
Slack search results are returned into the agent/output context. This is purpose-aligned, but workspace messages can be sensitive or contain untrusted instructions.
response = requests.get(f"{self.base_url}/search.messages", headers=headers, params=params)
return response.json()Limit token scopes and search usage, and treat Slack search results as untrusted content unless the user asks otherwise.
A future install may resolve a different requests version than the one the author tested.
The package dependency is declared without a pinned version. This is common for simple integrations, but it reduces reproducibility and supply-chain reviewability.
"dependencies": ["requests"]
Pin dependency versions or provide a lockfile for reproducible installation.