teammate.skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is mostly transparent about its purpose, but it can collect and persist sensitive coworker Slack, email, GitHub, and workspace data using broad credentials, so it deserves careful review before use.
Install only if you are comfortable collecting teammate-related workplace data into local agent files. Use narrow Slack/GitHub permissions, collect only authorized channels/repos/files, inspect and redact the generated `knowledge` and `teammates` folders, and be careful before exporting or globally installing generated teammate skills.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A token used for this skill could allow collection of sensitive Slack channels or private repository activity beyond what a user may expect from a generated teammate profile.
The optional collectors use Slack and GitHub credentials that can read broad workspace communications and private repositories. This is relevant to the skill’s purpose, but it grants high-impact account access.
Add Bot Token Scopes ... `channels:history` ... `channels:read` ... `users:read` ... `groups:history` *(optional)* Read private channels ... `search:read` *(optional)* Search messages ... Create a Personal Access Token ... Select scope: `repo` (private repos)
Use least-privilege credentials, avoid private-channel or full `repo` scopes unless truly needed, and confirm workspace authorization before collecting another person’s communications or code activity.
Private messages, emails, docs, or code-review material may become durable agent context and influence future outputs, including generated skills that could be copied or shared.
The skill stores collected source material and generated teammate behavior as persistent local files, then reuses and evolves them across future interactions.
Generated teammate files go to `teammates/{slug}/` ... Slack auto-collect ... `--output-dir ./knowledge/{slug}` ... Enter evolution mode when: "I have new files" / "append" / "add more context"Review what is stored under `knowledge/{slug}` and `teammates/{slug}`, redact sensitive material before generating or exporting, and delete raw source files when they are no longer needed.
Running the collectors can read from external services and write local knowledge files.
The skill instructs the agent to run local Python collectors and parsers. This is central to the stated purpose, but it gives the skill tool-execution capability for data collection.
Run scripts | `Bash` tool | `exec` tool ... Slack auto-collect | `python3 {baseDir}/tools/slack_collector.py --username "{user}" --output-dir ./knowledge/{slug}` ... GitHub auto-collect | `python3 {baseDir}/tools/github_collector.py --username "{user}" --repos "{repos}" --output-dir ./knowledge/{slug}`Run collector commands only after reviewing the exact username, repositories, output directory, and limits.
Future dependency versions could change behavior or introduce vulnerabilities.
The optional Slack collector depends on an external Python package specified with a minimum version rather than an exact pinned version.
`pip3 install -r requirements.txt` ... This installs `slack_sdk>=3.0`
Install dependencies in a virtual environment and pin or review package versions for production use.