catalan-adobe/slack-cdp
Control Slack via CDP or headless API tokens. Navigate channels, read/send messages, search conversations, check unreads, and manage status. Two modes: CDP (Slack desktop with --remote-debugging-port) for full UI control, or headless (xoxp/xoxb token) for data operations without Slack running. Triggers on: slack, read slack, search slack, slack unreads, send slack message, slack status, navigate slack, check slack, slack messages, go to channel, slack DM.
97
97%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Security
2 findings — 1 critical severity, 1 medium severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
E006: Malicious code pattern detected in skill scripts
What this means
Detected high-risk code patterns in the skill content — including its prompts, tool definitions, and resources — such as data exfiltration, backdoors, remote code execution, credential theft, system compromise, supply chain attacks, and obfuscation techniques.
Why it was flagged
Malicious code pattern detected (high risk: 0.90). The skill intentionally uses Chrome DevTools Protocol to execute code inside the Slack renderer, read tokens from localStorage (localConfig_v2), and use those tokens to call Slack APIs — functionality that gives full access to read/send messages and user profile data and therefore can be abused for credential theft, data exfiltration, and remote control if the script is run or the debug port is exposed.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and evaluates user-generated Slack content (via Slack API calls like conversations.history and search.messages and DOM reads in scripts/slack-cdp.js) as shown in SKILL.md and scripts/slack-cdp.js, and the workflow/chain examples use those message/search results to select channels and drive navigation or follow-up commands, so untrusted third-party content can influence agent actions.
- Audited
- Security analysis