slack-openapi-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly reads user-generated Slack content via the Slack Web API (see get:/conversations.history and get:/conversations.replies in references/slack-web.openapi.json and the SKILL.md usage examples), which is untrusted third-party content the agent is expected to parse and that could materially influence follow-up actions such as chat.postMessage or reactions.add.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs runtime commands to fetch the curated OpenAPI schema from https://raw.githubusercontent.com/holon-run/uxc/main/skills/slack-openapi-skill/references/slack-web.openapi.json (via --schema-url), and that fetched schema directly controls the agent's available operations/behavior, making it a required runtime dependency that can modify prompts/instructions.