slack
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it is designed to ingest and process untrusted data from Slack workspaces. \n
- Ingestion points: The skill retrieves message content, channel names, and search results using
agent-browser snapshotandagent-browser get textinSKILL.md(e.g., lines 48, 147, 186) andreferences/slack-tasks.md(e.g., lines 20, 48, 77, 102). \n - Boundary markers: The instructions lack delimiters or explicit warnings to the agent to disregard potential instructions embedded within the Slack data. \n
- Capability inventory: The agent possesses powerful capabilities through the
agent-browsertool, including the ability to click, type, navigate, and take screenshots within a browser session, which could be misused if influenced by malicious external content. \n - Sanitization: No validation or sanitization of the retrieved Slack content is prescribed before the agent acts upon it.\n- [COMMAND_EXECUTION]: The skill provides instructions for executing shell commands via the
agent-browsertool to automate browser interactions. While these tools are explicitly permitted in the skill configuration, their use to perform actions based on untrusted external data increases the overall risk profile.
Audit Metadata