agent-slack
Fail
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill's primary authentication mechanism involves the automated extraction of Slack session tokens (
xoxc) and cookies (xoxd) from external application data. - Credential Harvesting: The
agent-slack auth extractcommand scans local storage directories of the Slack desktop app and multiple Chromium-based browsers (Chrome, Edge, Brave, etc.) to locate session material. - Keychain Interaction: On macOS, Linux, and Windows, the tool interacts with system-level secret stores (Keychain, Secret Service/Keyring, DPAPI) to decrypt stored cookies.
- Plaintext Storage: Extracted credentials are saved in
~/.config/agent-messenger/slack-credentials.json. While file permissions are set to0600, the tokens themselves are stored in plaintext, making them accessible to any other process or malicious script running in the user's context. - [DATA_EXFILTRATION]: The skill provides the ability to read and exfiltrate information from Slack workspaces to the local environment or through the agent's output.
- Sensitive File Access: The tool explicitly reads from sensitive paths such as
~/Library/Application Support/Slack/and browserLocal Storage/leveldb/directories to retrieve authentication data. - [COMMAND_EXECUTION]: The CLI tool performs low-level file system operations and database parsing on application-specific data files to extract session information across multiple operating systems.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it is designed to ingest and process untrusted data from Slack channels.
- Ingestion Points: Data enters the agent's context through
agent-slack message list,snapshot, and theSlackListenerSDK. - Capability Inventory: The agent has the capability to write to a memory file (
MEMORY.md), execute shell commands viaallowed-tools, and perform network operations via the Slack API. - Sanitization: The provided scripts and instructions lack explicit sanitization or boundary markers to prevent the agent from being manipulated by malicious instructions embedded in Slack messages.
Recommendations
- AI detected serious security threats
Audit Metadata