Slack Automator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Slack automation skill is mostly purpose-aligned, but its script appears to build Python code from message text in a way that could let crafted input run local code.
Review carefully before installing. The Slack webhook and local history behavior are expected for this type of tool, but the visible script should be fixed to avoid interpolating message text into Python code. Until then, avoid using it with untrusted or copied message content.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or copied message could run code on the user's machine under the agent's privileges before or while sending to Slack.
The script constructs Python source by directly inserting message and channel values into triple-quoted Python strings. A crafted value containing triple quotes could break out of the string and execute arbitrary Python when the tool builds a Slack payload.
python3 <<PYEOF ... payload["text"] = """$text""" ... channel = """$channel"""
Do not pass untrusted text through this script as-is. The publisher should pass values to Python via argv, stdin, or environment variables and serialize with json.dumps instead of interpolating user input into Python source.
Anyone who obtains the stored webhook URL may be able to post messages to the associated Slack workspace/channel.
A Slack webhook URL is a credential that grants posting ability to the configured Slack destination. This is expected for the skill's purpose and is disclosed, but users should protect it.
Slack Incoming Webhook URL ... Save a Slack Incoming Webhook URL to local configuration. The URL is stored in `~/.slack-automator/config.json`.
Use a narrowly scoped Slack webhook, protect the local config file, avoid sharing logs or config contents, and rotate the webhook if it may have been exposed.
Sensitive message content sent through the tool may remain on disk in the user's home directory.
The script persists sent message text, channel, action, status, and timestamp in a local history file. That is aligned with the advertised send history feature, but Slack messages can contain sensitive business content.
HISTORY_FILE="$DATA_DIR/history.json" ... "message": """$message""", ... "channel": """$channel""" ... history.append(entry)
Avoid sending secrets through this tool, review or delete ~/.slack-automator/history.json when needed, and consider adding retention controls.
If the user wires this into cron, messages may be posted later without another interactive review.
The skill supports persistent scheduled messages, but the artifacts disclose that it only saves schedules and requires the user to set up cron for actual background execution.
Schedules are saved locally. To actually trigger them, set up a cron job that runs `slack-automator send` with the scheduled messages.
Review scheduled messages before enabling cron and remove old schedules that should no longer run.