Slk
WarnAudited by ClawScan on May 10, 2026.
Overview
This Slack skill is transparent about its purpose, but it extracts and caches your desktop Slack session credentials so an agent can read and post as you.
Review carefully before installing. This is not a limited Slack bot; it uses your logged-in Slack desktop session and can act as you. Prefer one-time Keychain approval, avoid unattended posting unless you set clear rules, and delete ~/.local/slk/token-cache.json if you want to revoke the cached session token.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or local process that can run this CLI can read accessible Slack content and perform Slack actions as you.
The skill uses the user's existing Slack desktop session credentials rather than a scoped bot/OAuth grant, giving the CLI and any invoking agent broad access as the user.
Keychain password | `security find-generic-password -s "Slack Safe Storage"` ... Encrypted cookie | `<slack-data-dir>/Cookies` ... Session token | `<slack-data-dir>/Local Storage/leveldb/`
Install only if you are comfortable granting user-level Slack session access; prefer one-time Keychain approval, monitor/delete the token cache, and restrict when agents may invoke it.
The skill will execute local commands that can trigger Keychain access and handle sensitive Slack session material.
The code runs local system commands to obtain and validate Slack credentials. This matches the documented macOS auto-auth design, but users should notice the host-command execution.
import { execSync, spawnSync } from "child_process"; ... execSync(`security find-generic-password -s "Slack Safe Storage" -a "${account}" -w`)Review the package source before installing and do not run it from untrusted shells or agent workflows.
If an agent uses these commands too freely, it could send messages, add reactions, or delete drafts under your Slack identity.
The skill exposes real Slack write actions. They are disclosed and purpose-aligned, but the artifacts do not require a confirmation step before posting or changing Slack state.
`slk send <channel> <message>` ... `slk react <channel> <ts> <emoji>` ... `slk draft drop <draft_id>`
Configure your agent to ask for confirmation before `send`, `react`, or `draft drop`; use draft commands for human review when possible.
Private or sensitive Slack content may be exposed to the agent context, and Slack messages themselves could contain untrusted instructions.
The skill is intended to pull private Slack messages and DMs into the agent's working context for summaries and actions.
Weekly DM summary — `slk read @boss 200 --from 2026-02-01 --threads` → extract action items, decisions, context
Use it only in workspaces and channels you are comfortable sharing with the agent, and instruct the agent to treat Slack message text as data rather than commands.