slack-respond
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands and dynamic context injection to execute local Python scripts for inbox management, memory persistence, and Slack interaction. These scripts are located in the user's home directory (~/.claude/skills/slack/).
- [PROMPT_INJECTION]: The skill ingests and processes untrusted message content from Slack, which constitutes an indirect prompt injection surface.
- Ingestion points: External Slack message content is ingested and formatted in SKILL.md (Step 2 and Step 4).
- Boundary markers: The skill lacks explicit instructions or markers to distinguish untrusted message content from internal instructions, potentially allowing embedded commands to influence agent behavior.
- Capability inventory: The agent has extensive local capabilities, including script execution, file system access (reading and writing memory/state files), and network operations via the Slack API.
- Sanitization: No input sanitization or validation of the Slack message content is described in the processing pipeline.
Audit Metadata