Slack Actions

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Slack bot skill that can read and change Slack content, so it should be installed only with intentional workspace approval and limited bot permissions.

Install only if you want an agent to act through a Slack bot. Use a dedicated bot token, grant the smallest scopes and channel access needed, avoid sensitive channels unless required, and require explicit confirmation before posting, editing, deleting, pinning, unpinning, or reading channel history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad natural-language requests like 'Send this to #engineering' and 'Who is U123?', which can overlap with ordinary conversation and increase the chance of unintended invocation. In a skill that can send, edit, delete, pin, and read Slack content, ambiguous activation can lead to unauthorized or surprising actions, especially for destructive or privacy-sensitive operations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The overview emphasizes capabilities to read recent channel history and retrieve member information but does not prominently warn users that these are privacy-sensitive operations. This omission can cause users or downstream agents to underestimate the sensitivity of invoking the skill, increasing the risk of inappropriate access to Slack conversations or profile data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal