Slk
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: slack-personal Version: 0.1.7 The skill is classified as suspicious due to its transparent but high-risk method of extracting Slack session credentials (xoxc- token and xoxd- cookie) from the macOS Keychain, Slack's LevelDB, and SQLite databases. This involves executing system commands like `security`, `sqlite3`, `openssl`, `python3`, and `curl` via `child_process.execSync` and `child_process.spawnSync` in `src/auth.js`. While the code's intent is to enable a legitimate Slack CLI for the local user and it explicitly warns about the security implications of 'Always Allow' for Keychain access in `README.md` and `SKILL.md`, the powerful system interactions for credential access represent a significant attack surface and potential vulnerability if the tool were compromised or misused. There is no evidence of intentional data exfiltration to unauthorized endpoints, persistence mechanisms, or malicious prompt injection against the AI agent in the documentation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can read Slack content and perform Slack actions as you, including in DMs and private channels you can access.
The skill uses the user’s existing Slack desktop session rather than a scoped Slack app or bot token, so successful commands operate with the user’s Slack identity and workspace access.
Auto-authenticates from the Slack desktop app — no tokens, no OAuth, no app installs. Acts as your user (`xoxc-` session tokens).
Install only if you trust the package and the agent environment. Prefer one-time Keychain Allow over Always Allow, and consider a separate workspace account or scoped bot integration for lower-risk automation.
A local process or user that can read that cache may be able to reuse the Slack session token until it expires or is invalidated.
The code persists the Slack session token to a local JSON cache without visible file-permission hardening in the artifact.
const TOKEN_CACHE = join(CACHE_DIR, "token-cache.json"); ... writeFileSync(TOKEN_CACHE, JSON.stringify({ token, ts: Date.now() }));Check permissions on ~/.local/slk/token-cache.json, delete it when not needed, and avoid installing this on shared or managed machines unless you accept that local token persistence.
Messages or reads could go to an unintended DM instead of a channel when names collide.
The resolver checks unqualified names as users before channel names, so a command like `slk send engineering ...` could open a DM if a matching user exists.
if (nameOrId.startsWith("@") || !nameOrId.includes("#")) { ... const dm = await slackApi("conversations.open", { users: user.id }); if (dm.ok) return dm.channel.id; }Use explicit channel IDs or `#channel` names for important actions, and update the resolver to require `@` for users or to prefer channels for channel commands.
Installing the package means trusting its local command execution around credential stores.
The package executes local system commands to extract and validate Slack credentials; this is disclosed and central to its macOS authentication design.
execSync(`security find-generic-password -s "Slack Safe Storage" -a "${account}" -w`, ...)Review the package source and install only from a trusted version; be cautious about PATH or environment tampering on machines where this runs.
If a coding agent follows these development instructions in the source tree, it could use local npm publishing credentials and affect the package supply chain.
Development-only agent instructions include a high-impact npm publishing workflow using a local publish token; it is not invoked by the Slack CLI runtime, but it matters if an agent works on this package source.
echo "//registry.npmjs.org/:_authToken=${NPM_PUBLISH_TOKEN}" > .npmrc && npm publish && rm .npmrcKeep publishing workflows out of installed skill artifacts where possible, and require explicit human approval before any npm publish command.
Slack messages can contain sensitive data, stale instructions, or prompt-injection-like text that an agent might over-trust.
The skill is designed to pull Slack messages into the agent’s working context, where content from other workspace members may influence the agent.
**Search-driven context** — `slk search "deployment process"` or `slk pins <channel>` to pull context before answering questions
Treat Slack content as untrusted data unless the user confirms it, and avoid following instructions found inside Slack messages without separate approval.