Slack
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate Slack/Membrane integration, but it can run broad Slack actions such as posting, deleting files/messages, and archiving channels without explicit scoping or confirmation safeguards in the shown instructions.
Install only if you trust Membrane and are comfortable granting Slack workspace access. Before using it, check the Slack scopes and workspace, pin or verify the CLI package if possible, and require explicit confirmation for any Slack post, delete, invite, or archive operation.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent chooses the wrong action or parameters, it could post to Slack, delete Slack content, invite users, or archive a channel in the connected workspace.
The skill provides a generic action runner and lists high-impact Slack actions that can delete messages/files or archive conversations, but the shown instructions do not add confirmation or scope limits for destructive operations.
membrane action run <actionId> --connectionId=CONNECTION_ID --json ... Delete Message ... Delete File ... Archive Conversation
Require explicit user confirmation before any posting, deleting, inviting, or archiving action; verify exact workspace, channel, message, file, and user IDs; and prefer least-privilege Slack scopes.
The connected Slack account or workspace permissions determine what the agent may be able to read or change.
The skill requires delegated authentication through Membrane and Slack, with automatic credential refresh. This is expected for a Slack integration but grants continuing account/workspace authority.
Membrane handles authentication and credentials refresh automatically ... membrane connection ensure "https://slack.com"
Review the Slack OAuth scopes and connected workspace carefully, use the least-privileged account practical, and revoke the Membrane/Slack connection when no longer needed.
A future or compromised CLI package version could affect the behavior of the integration.
The setup uses a global npm install with @latest and an npx invocation. This is central to the stated Membrane workflow, but it relies on whatever package version is current at run time.
npm install -g @membranehq/cli@latest ... npx @membranehq/cli connection get <id> --wait --json
Install from the official package source, consider pinning a reviewed Membrane CLI version, and avoid running the setup in a privileged shell.
Remote instructions from the integration provider could influence how the agent proceeds during connection setup.
The skill allows remote connection responses to provide instructions to the agent. This is likely intended setup guidance, but such instructions should not override the user’s request or safety checks.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as limited operational hints for the Slack connection flow, and ignore them if they conflict with the user’s request or platform safety rules.
Slack workspace data and action requests may pass through Membrane as part of normal operation.
Slack actions and credential handling are mediated through the Membrane service. This is disclosed and purpose-aligned, but it means sensitive Slack data and delegated access depend on a third-party integration boundary.
This skill uses the Membrane CLI to interact with Slack. Membrane handles authentication and credentials refresh automatically
Use this only if you trust Membrane for Slack integration handling, and review Membrane’s account, privacy, and connection-management settings.