Slk

Security checks across malware telemetry and agentic risk

Overview

This Slack skill is transparent about using your desktop Slack session, but it accesses and caches highly sensitive Slack credentials and can act as you, so it needs review before install.

Install only if you intentionally want a macOS-only Slack CLI that reuses your logged-in Slack desktop session. Prefer one-time Keychain Allow over Always Allow, understand that the tool can read private channels/DMs and post as you, avoid using it on shared or managed machines, and delete ~/.local/slk/token-cache.json if you want to clear the cached Slack token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (27)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no explicit permissions while its documented behavior clearly requires shell execution, filesystem access, network access, and access to local application data and credentials. This creates a transparency and review gap: operators may invoke the skill without understanding that it can read local Slack storage and authenticate as the user.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The description frames the skill as a Slack messaging utility, but the documentation reveals substantially more sensitive behavior: extracting session credentials from Slack desktop storage and macOS Keychain, caching tokens locally, and using undocumented APIs. That mismatch can defeat informed consent and cause users to approve a tool that effectively performs credential recovery and impersonation as their Slack user.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The guide explicitly references credential extraction from Keychain, LevelDB, and token cache, which exceeds the stated end-user purpose of a Slack messaging skill and normalizes access to local secret stores. In an agent setting, this broadens the authority of the skill and could lead to unnecessary collection or misuse of sensitive local credentials.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The development guide includes version bumping, git commit/push, npm publishing, and copying skill files into a local bot directory, none of which are necessary for reading or sending Slack messages. In an agent context, these instructions could induce repository modification and software release actions far beyond the user's expected Slack-task scope.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documentation explicitly states that the tool performs credential extraction from the macOS Keychain and Slack desktop app storage (LevelDB). For a skill whose user-facing purpose is reading and sending Slack messages, baking in local credential harvesting expands privileges beyond normal delegated auth and creates a dangerous path to unauthorized account access if reused or abused.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The auth section says the tool uses Slack session cookies and auto-extracts xoxc/xoxd credentials from the desktop app cache. Session-token and cookie harvesting is highly sensitive because it can bypass standard app authorization boundaries and enable full account/session impersonation, making the skill materially more dangerous in this context.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill advertises ordinary Slack message management, but it explicitly states that it auto-authenticates by extracting session tokens from Slack desktop storage. Credential extraction is a materially more sensitive capability than the stated purpose and enables full user-level access to Slack if abused or if the cached material is exposed.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Accessing macOS Keychain and Slack LevelDB to obtain authentication material exposes highly sensitive secrets outside normal least-privilege expectations for a messaging skill. Because the tool acts as the user, compromise or misuse can lead to reading, sending, and modifying Slack content across the workspace, with limited visibility that the session was bootstrapped from recovered local secrets.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The API wrapper exposes destructive Slack capabilities such as chat.delete and drafts.delete even though the skill description only advertises reading, sending, searching, and managing messages and DMs via Slack. This creates a permissions/behavior mismatch that can enable unintended or deceptive use of the skill, especially if higher-level tooling assumes the manifest accurately describes available actions.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This file explicitly states that it extracts Slack session credentials from the local desktop app by pulling a Keychain secret, decrypting the Slack cookie, and scraping bearer tokens from LevelDB. That directly contradicts the skill’s declared interface of using the slk CLI and gives the skill covert credential-access capability far beyond normal Slack message management.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code uses the macOS security tool to retrieve the 'Slack Safe Storage' secret, copies and decrypts the Slack Cookies database, and extracts the xoxd session cookie. This is credential harvesting from another application’s protected storage and enables unauthorized reuse of the user’s authenticated Slack session.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code scans Slack LevelDB files for xoxc bearer tokens, invokes Python to mine additional token candidates, and validates them with curl against Slack’s API. This creates an undisclosed token recovery and verification pipeline that is unnecessary for the stated messaging function and materially increases the ability to hijack Slack access.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill exposes capabilities beyond the stated description of reading, sending, and searching Slack messages and DMs. Functions for reactions, pins, starred items, saved items, preference inspection, and user directory access expand the data and action surface, which can lead to unauthorized privacy-sensitive access or user surprise if higher-privilege Slack scopes are granted than expected.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The publishing instructions write an npm auth token into a local .npmrc file and then invoke npm publish, but they do not warn about credential sensitivity, file exposure, or accidental persistence. This increases the chance that an agent or user will mishandle a live publish token or expose it through logs, files, or unintended commits.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The instructions describe writing an npm auth token into a .npmrc file and publishing, without any warning about secret handling, shell history exposure, file-permission risks, or accidental inclusion in artifacts. While aimed at release automation, exposing operational steps for handling a sensitive publish token increases the chance of credential leakage or misuse.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrases are broad and likely to match normal conversation such as 'check Slack' or 'any Slack messages,' increasing the chance of accidental invocation. In this skill, accidental invocation is more dangerous than usual because the tool can read private messages and authenticate as the user's live Slack session.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation includes commands that send messages, add reactions, create drafts, and delete drafts, but it does not prominently warn that these are real external side effects performed as the user's Slack identity. Without explicit warnings and confirmation, an agent could alter external state or communicate on the user's behalf unexpectedly.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The file explicitly states that authentication is pulled automatically from the local Slack desktop app, which grants immediate access to workspace data and the ability to send or modify content without a separate consent step in this CLI entrypoint. In an agent-skill context, this is more dangerous because a user may invoke seemingly harmless Slack checks while the tool silently reuses broad desktop credentials to access channels, DMs, saved items, pins, and drafts.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Recovered Slack credentials are cached to disk in ~/.local/slk/token-cache.json without user disclosure, consent, or protection controls. Persisting stolen or highly sensitive tokens expands the attack window, enables reuse by other local processes, and makes post-compromise cleanup harder.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill silently accesses Keychain-derived material and Slack local state without any user-facing notice. In the context of a Slack messaging skill, covert access to protected credentials is especially dangerous because users would reasonably expect ordinary messaging operations, not secret extraction from another app.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The code sends recovered bearer tokens and session cookies to Slack’s auth.test endpoint to verify they work, without informing the user. Even though the destination is Slack, this still constitutes undisclosed use of extracted credentials and confirms exploitable account access.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The code retrieves Slack user preference data, including notification preferences and VIP users, which are privacy-sensitive and not clearly covered by the skill description. Accessing personal preference state expands the scope from message operations into personal-profile metadata, increasing the risk of over-collection and misuse if users are not informed.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The draft listing routine prints extracted draft text directly to stdout, which can expose potentially sensitive or private Slack message content in terminal logs, agent transcripts, or other downstream capture systems. In the context of a Slack-integrated skill, drafts commonly contain unsent confidential messages, making this more dangerous than ordinary debug output because users may not expect draft contents to be echoed back automatically.

Credential Access

High

Category: Privilege Escalation
Content: ## Auth Automatic — extracts session token from Slack desktop app's LevelDB + decrypts cookie from macOS Keychain. **First run:** macOS will show a Keychain dialog asking to allow access to "Slack Safe Storage": - **Allow** — one-time access, prompted again next time
Confidence: 99% confidence
Finding: Keychain

Credential Access

High

Category: Privilege Escalation
Content: Automatic — extracts session token from Slack desktop app's LevelDB + decrypts cookie from macOS Keychain. **First run:** macOS will show a Keychain dialog asking to allow access to "Slack Safe Storage": - **Allow** — one-time access, prompted again next time - **Always Allow** — permanent, no future prompts (convenient but any process running as your user can extract credentials silently) - **Deny** — blocks access, slk cannot authenticate
Confidence: 99% confidence
Finding: Keychain

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal