egghead-slack
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from Slack messages, searches, and files through the
conversations.historyandsearch.messagesAPI endpoints. - Ingestion points: Slack API responses processed in the message intelligence pipeline.
- Boundary markers: Includes explicit rules ("JoelClaw NEVER participates in channels", "NEVER responds to other users") to prevent the agent from being manipulated into public actions by external messages.
- Capability inventory: Performs network operations via
curlto Slack and indexing services. - Sanitization: No specific sanitization or escaping of external message content is documented before processing.
- [DATA_EXFILTRATION]: The skill implements a "Backfill Pipeline" that reads historical Slack data and indexes it into external services (Inngest and Typesense). While this is the intended purpose for the author, it involves the systematic movement of private organizational data (DMs, private channels, and files) to external infrastructure.
- [COMMAND_EXECUTION]: The skill provides template
curlcommands for interacting with the Slack API. These commands involve shell variable interpolation for secrets and query parameters which could be misused if query inputs are not properly sanitized. - [CREDENTIALS_UNSAFE]: The skill utilizes high-privilege Slack tokens (including
adminandsearch:read.privatescopes) and documents numerous internal IDs. However, it follows security best practices by managing the actual tokens through a secrets management system (secrets lease) rather than hardcoding credentials in the skill file.
Audit Metadata