agent-slack

Fail

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill's primary authentication mechanism involves the automated extraction of Slack session tokens (xoxc) and cookies (xoxd) from external application data.
  • Credential Harvesting: The agent-slack auth extract command scans local storage directories of the Slack desktop app and multiple Chromium-based browsers (Chrome, Edge, Brave, etc.) to locate session material.
  • Keychain Interaction: On macOS, Linux, and Windows, the tool interacts with system-level secret stores (Keychain, Secret Service/Keyring, DPAPI) to decrypt stored cookies.
  • Plaintext Storage: Extracted credentials are saved in ~/.config/agent-messenger/slack-credentials.json. While file permissions are set to 0600, the tokens themselves are stored in plaintext, making them accessible to any other process or malicious script running in the user's context.
  • [DATA_EXFILTRATION]: The skill provides the ability to read and exfiltrate information from Slack workspaces to the local environment or through the agent's output.
  • Sensitive File Access: The tool explicitly reads from sensitive paths such as ~/Library/Application Support/Slack/ and browser Local Storage/leveldb/ directories to retrieve authentication data.
  • [COMMAND_EXECUTION]: The CLI tool performs low-level file system operations and database parsing on application-specific data files to extract session information across multiple operating systems.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it is designed to ingest and process untrusted data from Slack channels.
  • Ingestion Points: Data enters the agent's context through agent-slack message list, snapshot, and the SlackListener SDK.
  • Capability Inventory: The agent has the capability to write to a memory file (MEMORY.md), execute shell commands via allowed-tools, and perform network operations via the Slack API.
  • Sanitization: The provided scripts and instructions lack explicit sanitization or boundary markers to prevent the agent from being manipulated by malicious instructions embedded in Slack messages.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 15, 2026, 06:40 PM
Security Audit — agent-trust-hub — agent-slack