Security audit

Slack Automator

Security checks across malware telemetry and agentic risk

Overview

This Slack helper is mostly purpose-aligned, but its script can run local code from crafted message or configuration text and it stores Slack webhook secrets and message history in plaintext.

Review carefully before installing. Do not use this version with untrusted or copied message text, rotate any webhook URL that may have been exposed, keep the webhook scoped to the least sensitive Slack channel, and treat ~/.slack-automator/config.json, history, templates, schedules, and exports as sensitive local files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The broad 'use when' wording encourages invocation for loosely related tasks such as monitoring chats or syncing channels, even though the documented functionality is much narrower. Overbroad activation criteria increase the chance an agent uses the skill on sensitive workflows or data that do not match its real capabilities, potentially causing accidental outbound transmission to Slack or unnecessary local storage.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises full send history and export but does not warn that message contents may be stored locally, which can include sensitive operational or personal data. Users may unknowingly persist confidential messages to disk and later expose them through exports, backups, or shared machines.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The setup instructions tell users to save a Slack Incoming Webhook URL locally without clearly warning that the webhook is a secret credential. If that URL is exposed through files, logs, screenshots, backups, or multi-user systems, an attacker can post arbitrary messages into the associated Slack channel.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The data storage section documents persistent local history files but omits any warning about privacy and retention risks. Complete message histories can accumulate sensitive content over time, making the host system a secondary repository of Slack-related data that may be easier to access than Slack itself.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script persists the Slack incoming webhook URL in plaintext under ~/.slack-automator/config.json without clearly warning the user that a reusable secret is being stored locally. If another local user, malware, backups, or logs can access that file, the webhook can be abused to post arbitrary messages into the connected Slack workspace.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.