pp-slack
Fail
Audited by Snyk on May 26, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask the user for the Slack token and to embed it verbatim in a command/example (e.g.,
claude mcp add -e SLACK_BOT_TOKEN=xoxb-...), which requires handling/outputting secrets directly.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill requires installing and running externally fetched code at runtime (e.g., via go install github.com/mvanhorn/printing-press-library/library/productivity/slack/cmd/slack-pp-cli@latest and the related github.com/mvanhorn/.../slack-pp-mcp path, and optionally via npx @mvanhorn/printing-press), which downloads and executes remote code and is a required dependency for the skill.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata