critical
suspicious.dangerous_exec
- Location
- src/auth.js:54
- Finding
- Shell command execution detected (child_process).
Slk
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
An agent using this skill can read Slack content and perform Slack actions as you, including in DMs and private channels you can access.
Why it was flagged
The skill uses the user’s existing Slack desktop session rather than a scoped Slack app or bot token, so successful commands operate with the user’s Slack identity and workspace access.
Skill content
Auto-authenticates from the Slack desktop app — no tokens, no OAuth, no app installs. Acts as your user (`xoxc-` session tokens).
Recommendation
Install only if you trust the package and the agent environment. Prefer one-time Keychain Allow over Always Allow, and consider a separate workspace account or scoped bot integration for lower-risk automation.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
A local process or user that can read that cache may be able to reuse the Slack session token until it expires or is invalidated.
Why it was flagged
The code persists the Slack session token to a local JSON cache without visible file-permission hardening in the artifact.
Skill content
const TOKEN_CACHE = join(CACHE_DIR, "token-cache.json"); ... writeFileSync(TOKEN_CACHE, JSON.stringify({ token, ts: Date.now() }));Recommendation
Check permissions on ~/.local/slk/token-cache.json, delete it when not needed, and avoid installing this on shared or managed machines unless you accept that local token persistence.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Messages or reads could go to an unintended DM instead of a channel when names collide.
Why it was flagged
The resolver checks unqualified names as users before channel names, so a command like `slk send engineering ...` could open a DM if a matching user exists.
Skill content
if (nameOrId.startsWith("@") || !nameOrId.includes("#")) { ... const dm = await slackApi("conversations.open", { users: user.id }); if (dm.ok) return dm.channel.id; }Recommendation
Use explicit channel IDs or `#channel` names for important actions, and update the resolver to require `@` for users or to prefer channels for channel commands.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Installing the package means trusting its local command execution around credential stores.
Why it was flagged
The package executes local system commands to extract and validate Slack credentials; this is disclosed and central to its macOS authentication design.
Skill content
execSync(`security find-generic-password -s "Slack Safe Storage" -a "${account}" -w`, ...)Recommendation
Review the package source and install only from a trusted version; be cautious about PATH or environment tampering on machines where this runs.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
If a coding agent follows these development instructions in the source tree, it could use local npm publishing credentials and affect the package supply chain.
Why it was flagged
Development-only agent instructions include a high-impact npm publishing workflow using a local publish token; it is not invoked by the Slack CLI runtime, but it matters if an agent works on this package source.
Skill content
echo "//registry.npmjs.org/:_authToken=${NPM_PUBLISH_TOKEN}" > .npmrc && npm publish && rm .npmrcRecommendation
Keep publishing workflows out of installed skill artifacts where possible, and require explicit human approval before any npm publish command.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Slack messages can contain sensitive data, stale instructions, or prompt-injection-like text that an agent might over-trust.
Why it was flagged
The skill is designed to pull Slack messages into the agent’s working context, where content from other workspace members may influence the agent.
Skill content
**Search-driven context** — `slk search "deployment process"` or `slk pins <channel>` to pull context before answering questions
Recommendation
Treat Slack content as untrusted data unless the user confirms it, and avoid following instructions found inside Slack messages without separate approval.