slack

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill intentionally exposes the host session and local tools to remote Slack input (DMs/@mentions) — including Bash, filesystem Read/Glob/Grep and WebFetch with a permission_mode of "bypassPermissions" — which constitutes a deliberate backdoor-like capability enabling remote code execution, data access, and exfiltration via Slack; while there is no obfuscated payload or unknown external C2, the design purposefully grants external users a channel to run powerful tools and read/upload data, making it high-risk for abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill ingests untrusted, user-generated Slack messages (via the Session Bridge background listener slack_listen.py writing daemon/inbox.jsonl which is read by slack_check.py and processed by the current session, and via on-demand readers like slack_read.py/slack_search.py), and those messages are explicitly used to build prompts and drive tool actions (post responses, run cognitive pipelines), so third-party content can materially influence agent behavior.