Trust Assessment
slack-personal received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 10 critical, 2 high, 2 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/slack-personal/src/commands.js:18 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/slack-personal/src/commands.js:49 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/slack-personal/src/commands.js:241 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/slack-personal/src/commands.js:242 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/therohitdas/slack-personal/src/auth.js:54 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/therohitdas/slack-personal/src/auth.js:71 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/therohitdas/slack-personal/src/auth.js:92 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/therohitdas/slack-personal/src/auth.js:145 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/therohitdas/slack-personal/src/auth.js:206 | |
| CRITICAL | Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/therohitdas/slack-personal/src/auth.js:55 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/therohitdas/slack-personal/src/auth.js:5 | |
| HIGH | Intentional Credential Harvesting for Session Access The skill is explicitly designed to extract highly sensitive Slack session tokens (`xoxc-`) and cookies (`d`) from the user's macOS Keychain and Slack application data directories (LevelDB, SQLite). These credentials grant full, user-level access to the Slack account. While this is the stated and intended functionality of the skill to operate as the user, the capability to harvest such credentials represents a significant security posture. A malicious modification or compromise of this skill could lead to full account takeover. The current implementation appears to only use these credentials for legitimate API calls to `slack.com`. Users must be fully aware of the implications of granting this skill access to their Slack session. The skill should clearly communicate this high level of access and the associated risks. Consider if a less privileged authentication method (e.g., a bot token with specific scopes) could achieve the desired functionality, even if it means less 'personal' interaction. If not, ensure robust security practices around the skill's development and deployment. | LLM | src/auth.js:1 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/therohitdas/slack-personal/src/auth.js:88 | |
| MEDIUM | Excessive Permissions for Credential Extraction The skill requires broad access to the user's filesystem, specifically Slack's application data directories (`~/Library/Application Support/Slack`) and the macOS Keychain. This level of access is necessary to extract session tokens and cookies, but it grants the skill significant control over sensitive user data and system resources. If the skill were compromised, this broad access could be exploited for data exfiltration or other malicious activities beyond its intended scope. Accessing the Keychain requires user consent, which, if set to 'Always Allow', could enable silent credential extraction by any process running as the user. Ensure that the skill's code is thoroughly audited for any unintended use of these broad permissions. Users should be explicitly warned about the extensive system access required by this skill and the potential risks involved. Implement principle of least privilege where possible. | LLM | src/auth.js:20 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/therohitdas/slack-personal/package.json | |
| LOW | Use of External Command Execution (execSync/spawnSync) The skill utilizes `child_process.execSync` and `child_process.spawnSync` to execute external commands (`security`, `sqlite3`, `openssl`, `python3`) for credential extraction. While the current implementation carefully constructs these commands using hardcoded strings or internally derived variables, preventing direct command injection from user input, the use of these functions always carries an inherent risk. Future modifications could inadvertently introduce vulnerabilities if user-controlled data is passed to these commands without strict validation and escaping. Maintain strict vigilance over any changes to code involving `execSync` or `spawnSync`. Ensure that no user-supplied input is ever directly interpolated into shell commands without robust escaping. Prefer using argument arrays with `spawnSync` over string interpolation for `execSync` where possible, as argument arrays inherently prevent shell injection. | LLM | src/auth.js:10 |
Scan History
Embed Code
[](https://skillshield.io/report/03b402d2d81a45ee)
Powered by SkillShield