ClawHub

Slk

Security checks across malware telemetry and agentic risk

Overview

This Slack skill is transparent enough not to look malicious, but it needs review because it extracts and caches your desktop Slack session and can read or post as you.

Install only if you intentionally want a CLI or agent to act as your logged-in Slack user, including access to DMs/private channels and the ability to send messages. Prefer one-time Keychain Allow over Always Allow, protect or delete the token cache when not needed, and require your own confirmation before sends, reactions, or draft deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes significant capabilities including shell, file reads, network access, and environment use, but does not declare permissions or boundaries. That makes it harder for users and policy layers to understand that the skill can access local Slack artifacts and operate with broad local privileges.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description frames the skill as ordinary Slack interaction, but the content reveals it authenticates by extracting session credentials from Slack desktop storage and Keychain. That is materially more sensitive than typical messaging behavior and can mislead users into invoking a tool that performs credential access and broad account actions as their identity.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The development guide includes git push, npm publish, version bumping, and local skill-copy deployment steps that exceed the skill's declared purpose of interacting with Slack. In an agent context, these instructions expand the operational scope from messaging to software release and filesystem modification, creating a pathway for unintended repository changes, package publication, or supply-chain impact if the agent follows them.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide exposes use of an npm publishing token from an environment variable and instructs creating an .npmrc containing that secret, which is outside the stated Slack messaging function. In an agent environment, surfacing secret-handling and publication workflows increases the chance of credential misuse, accidental disclosure, or unauthorized package publication.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README documents that the skill authenticates by extracting Slack desktop session credentials from macOS Keychain and local Slack storage, but the skill metadata presented to users frames it as ordinary Slack reading/sending functionality. That omission is security-relevant because users may authorize a messaging skill without understanding it performs credential extraction from local secrets stores and session databases.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented capability goes beyond normal message handling: it reads Keychain material, decrypts Slack cookies, scans LevelDB for xoxc tokens, and caches validated tokens on disk. For an agent skill whose stated purpose is user-facing Slack messaging, this is an unusually powerful credential-access mechanism that materially increases the blast radius if the agent, host, or cache is compromised.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file’s own header states it extracts Slack session credentials from Keychain, cookies, and LevelDB, which is materially different from the manifest’s stated purpose of interacting with Slack via the slk CLI. This mismatch is dangerous because it hides credential-harvesting behavior behind a benign description, increasing the likelihood of unauthorized access to the user’s Slack workspace.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code retrieves the 'Slack Safe Storage' secret from macOS Keychain and uses it to decrypt Slack’s local cookie material, directly extracting session credentials. Accessing and decrypting locally stored auth secrets without explicit consent is credential theft behavior and exceeds what is needed to send or read Slack messages through a normal integration.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code scans Slack LevelDB files and invokes Python to recover xoxc tokens from local application data, including handling compressed artifacts to improve extraction success. This is an intentional credential-recovery pipeline aimed at harvesting bearer tokens, which could enable full Slack account/session misuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill validates stolen or recovered credentials by calling Slack’s auth.test API directly with the bearer token and decrypted cookie, confirming which secrets are usable. This increases operational reliability of the credential-harvesting flow and bypasses the declared slk CLI interaction model.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata understates implemented capabilities by omitting user enumeration, pins access, reactions, and VIP/starred inspection. This matters because an orchestrating agent or reviewer may grant or invoke the skill under an incomplete understanding of its read/write scope, enabling broader Slack access and state changes than the manifest suggests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Writing the npm auth token directly into .npmrc materializes a sensitive credential on disk without any warning, safeguards, or cleanup guarantees beyond a best-effort rm step. In an automated agent workflow this can leak credentials through logs, crashes, shell history, workspace persistence, or accidental commit of the generated file.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The one-liner combines versioning, git commit/push, token materialization, npm publish, token cleanup, and local file copy into a single chained command with significant side effects and no safety barriers. This is dangerous in an agent setting because it encourages blind execution of release and secret-handling operations that can publish code, alter repositories, and expose credentials if any step misbehaves.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions write a live npm auth token into a plaintext .npmrc file in the working directory, which can be exposed through shell history, accidental commits, workspace indexing, backup tooling, or concurrent processes reading the file before deletion. Even though the file is removed afterward, the pattern normalizes unsafe secret handling and increases the chance of credential leakage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document explicitly describes automatic extraction of Slack session credentials, including xoxc tokens and xoxd cookies, from the desktop app and local cache. These are highly sensitive session artifacts that can allow account access and message retrieval/sending, so documenting their extraction without strong warnings and access controls materially increases the risk of credential misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages agent-driven send and draft workflows but does not prominently warn that all outbound actions occur under the user's own Slack identity because the tool uses session credentials, not bot tokens. This can lead to unintended impersonation, reputational harm, or accidental policy violations if an agent sends, drafts, reacts, or searches in sensitive workspaces without explicit user awareness.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough that generic Slack-related requests may invoke the skill without the user realizing it will access private workspace data or act as them. Over-broad activation increases the chance of unintended reads, searches, and message transmission in a sensitive communications environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill lacks a prominent warning that it reads private Slack data and sends messages as the user via session-based authentication. In this context, omission of that warning can undermine informed consent and lead to accidental disclosure, impersonation-like actions, or privacy violations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The help text states that the CLI automatically reads credentials from the local Slack desktop app and caches tokens, but provides no explicit warning, consent flow, or scope limitation. In an agent skill context, this is dangerous because the tool can silently inherit a user's Slack session and access workspace data without the user understanding that local desktop credentials are being harvested and reused.

Missing User Warnings

High
Confidence
97% confidence
Finding
Recovered Slack tokens are written to a local cache file in the user’s home directory without disclosure, which persists sensitive credentials beyond their original protected stores. This expands the attack surface because any local compromise or overly broad file permissions could expose reusable Slack auth material.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code accesses sensitive local credentials from macOS Keychain and Slack storage without any user warning, prompt, or informed consent. In the context of a skill advertised for routine Slack interaction, undisclosed secret access is especially dangerous because users would not reasonably expect credential extraction from their desktop app.

Missing User Warnings

High
Confidence
96% confidence
Finding
The code transmits extracted token and cookie material to Slack over the network to test their validity, without user-facing disclosure. Even though the destination is Slack, sending harvested credentials off the local machine operationalizes the theft and confirms which secrets can be used for account access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The send command performs a Slack write action immediately with no confirmation, dry-run mode, or explicit warning that it will post to a resolved channel or DM. In an agent setting, ambiguous channel resolution and automatic execution increase the risk of accidental messages, disclosure to the wrong recipient, or social/operational harm from unintended posts.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The reaction command mutates Slack state without any confirmation or warning, which can cause unintended signaling or workflow side effects. Although lower impact than posting a message, reactions can still affect notifications, approvals, and user perception in a collaborative workspace.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The draft deletion path performs an irreversible remote state-changing action immediately after locating the draft, with no explicit confirmation, dry-run mode, or safeguard against accidental invocation. In an agent context, ambiguous user instructions, prompt injection, or mis-targeting could cause unintended deletion of user drafts and loss of unsent work.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal