slack-automation
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exposes the agent to indirect prompt injection by ingesting untrusted data from Slack conversations.
- Ingestion points: Slack messages and threads are retrieved via
SLACK_SEARCH_MESSAGESandSLACK_FETCH_MESSAGE_THREAD_FROM_A_CONVERSATION(as seen in SKILL.md). - Boundary markers: The instructions lack explicit boundary markers or directives to treat retrieved Slack content as untrusted data, increasing the risk that the agent may follow instructions embedded within messages.
- Capability inventory: The skill provides write capabilities, including
SLACK_SEND_MESSAGE,SLACK_SCHEDULE_MESSAGE, and reaction management, which could be abused if an injection is successful. - Sanitization: There is no mention of sanitizing or escaping the text retrieved from Slack before it is added to the agent's context.
- [EXTERNAL_DOWNLOADS]: The skill requires the configuration of an external, third-party Model Context Protocol (MCP) server at
https://rube.app/mcp. This service mediates all Slack interactions and tool executions described in the skill.
Audit Metadata