ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slk

v0.1.7

Read, send, search, and manage Slack messages and DMs via the slk CLI. Use when the user asks to check Slack, read channels or DMs, send Slack messages, search Slack, check unreads, manage drafts, view saved items, or interact with Slack workspace. Also use for heartbeat Slack checks. Triggers on "check slack", "any slack messages", "send on slack", "slack unreads", "search slack", "slack threads", "draft on slack", "read slack dms", "message on slack".

2· 2.8k·8 current·8 all-time
byRohit Das@therohitdas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Slack CLI to read/send/search Slack as the user) aligns with the code and runtime behavior: the package auto-extracts session tokens from Slack desktop app and calls Slack API endpoints to read/send messages, manage drafts, search, etc.
Instruction Scope
SKILL.md instructs agents to use the slk CLI for reads, sends, searches and heartbeat checks. The instructions are explicit about the tool extracting session tokens from Keychain/LevelDB and about token caching. The skill grants an agent discretion to run recurring 'heartbeat' checks (unread monitoring) which will repeatedly read user messages — this is expected for an agent-facing Slack CLI but is sensitive and worth explicitly consenting to.
Install Mechanism
Install is via the npm package 'slkcli' (registry), which is a normal package-based install; no arbitrary URL downloads or archive extraction are used. Source files are included in the package manifest, not fetched from a personal server.
!
Credentials
The skill requests no environment variables, which is coherent, but the runtime code invokes several system utilities (macOS 'security', 'sqlite3' via sqlite3 CLI, 'openssl', 'python3', and 'curl') to extract/decrypt cookies and validate tokens. The skill metadata only declares the 'slk' binary as required, so the additional required system tools are not explicitly listed — this mismatch is a packaging/manifest omission. Also, the code reads Keychain, Slack cookie DB, and LevelDB (user session credentials). Those accesses are necessary for the stated session-based auth behavior but are highly sensitive (they extract session tokens that act as your user).
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It caches tokens to ~/.local/slk/token-cache.json (expected). It spawns helper processes and writes temporary files during decryption but generally cleans them up; token cache is local to the user.
What to consider before installing
This package is functionally what it says: a macOS Slack CLI that auto-extracts your session token from the Slack desktop app (Keychain + cookies + LevelDB) and then acts with your user privileges. Before installing: - Understand the sensitivity: the tool extracts session tokens that let it act as you (xoxc- tokens). That is required for its design, but it is powerful — any message-sending or reading capabilities are performed as your user. - Expect macOS prompts: on first run macOS will prompt Keychain access for 'Slack Safe Storage'. Choosing 'Always Allow' makes future extractions silent; prefer 'Allow' if you want visibility into each access. - Check system dependencies: the code invokes security, sqlite3, openssl, python3 and curl. Confirm these binaries are present and trustworthy on your machine. The skill metadata only lists the slk binary, so the package omission is a packaging issue. - Validate the npm package & author: inspect the package contents, README, and the npm/github project (verify repository and publisher) before installing; if you need organizational approval, get it first. - Consider alternatives: use an official Slack bot token or OAuth app with limited scopes if you want agent access with auditable, revocable credentials rather than extracting your user session. Given the sensitive operations and the mismatch between declared and actually-required system tools, treat this as suspicious until you verify the package source and are comfortable with session-token extraction.

Like a lobster shell, security has layers — review code before you run it.

latestvk975pntgz74j5hpjfj9c269v4x80y3y1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
OSmacOS
Binsslk

Install

Install slk (npm)
Bins: slk
npm i -g slkcli

Comments