Skillv0.1.1

ClawScan security

Slack Actions · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 13, 2026, 5:55 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (it clearly requires a Slack bot token) matches its description, but the published metadata does not declare the required credential—this mismatch and the handling of a highly sensitive token warrant caution.
Guidance: Do not install blindfolded — ask the publisher for source code or a homepage and request corrected registry metadata that explicitly lists SLACK_BOT_TOKEN as a required credential. If you proceed, create a dedicated Slack bot with the minimum OAuth scopes listed in the SKILL.md, restrict the bot to only the channels it needs, and use a non-production workspace to test. Rotate the token after testing and never give a shared or user-level token. Prefer installing only after the author provides a verifiable implementation (repo or package) and the registry entry is updated to declare the sensitive environment variable; if you cannot verify the implementation, treat the undeclared sensitive requirement as a red flag.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes precisely the Slack operations you'd expect for a 'Slack Actions' skill (sending/editing/deleting messages, reactions, pins, reading history, listing emojis, user lookups). However, the registry metadata claims no required environment variables or primary credential, while the runtime instructions explicitly require SLACK_BOT_TOKEN. That metadata–behavior mismatch is an incoherence (either the metadata is incomplete/incorrect or the skill author failed to declare a sensitive requirement).
Instruction Scope: okThe instructions in SKILL.md stay narrowly focused on Slack API actions and require only a Bot OAuth token and standard Slack scopes. The doc does not instruct the agent to read unrelated files, secrets, or system state. It also contains sensible behavioral rules (confirm IDs, avoid logging tokens).
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. That is lower risk because nothing is downloaded or executed by default; however, actual runtime behavior depends on how the agent implements these instructions.
Credentials: concernThe SKILL.md requires a single sensitive environment variable (SLACK_BOT_TOKEN) with broad workspace scopes, which is proportionate for Slack integration—but the registry metadata fails to declare this. The absence of a declared primary credential reduces transparency and prevents reviewers/automated systems from flagging sensitive requirements. Additionally, Bot tokens (xoxb-) can be powerful; ensure least-privilege scopes and use a dedicated bot account limited to necessary channels.
Persistence & Privilege: okalways is false and the skill does not request system-wide persistence or modification of other skills' configs. The skill will be able to be invoked autonomously by the agent (default), which is expected; combine this with a valid bot token and the agent could perform Slack actions, so token scope/limits are important.