Trust Assessment
slack-power-tools received a trust score of 12/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: Shell RC file modification, Potential Command Injection via Unsanitized User Input in Shell Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/spclaudehome/slack-power-tools/SKILL.md:139 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/spclaudehome/slack-power-tools/SKILL.md:164 | |
| HIGH | Potential Command Injection via Unsanitized User Input in Shell Commands The skill provides numerous `bash` snippets that construct `curl` commands. Many of these commands embed string literals (e.g., channel names, topics, message text, filenames, user IDs, search queries) directly into JSON payloads or URL query parameters. If an LLM were to substitute user-provided input into these string positions without proper sanitization (e.g., shell escaping, JSON escaping, URL encoding), it could lead to command injection. An attacker could craft malicious input that breaks out of the string literal and executes arbitrary shell commands on the host system where the skill is run. This pattern is prevalent across many examples in the skill. Implement robust input sanitization for all user-provided strings before embedding them into shell commands, JSON payloads, or URL parameters. This includes shell escaping, JSON escaping, and URL encoding as appropriate. The LLM should be explicitly instructed to use these sanitization functions or the skill should provide helper functions that perform this sanitization. | LLM | SKILL.md:26 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/spclaudehome/slack-power-tools/SKILL.md:139 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/spclaudehome/slack-power-tools/SKILL.md:164 | |
| INFO | Skill Demonstrates Use of Broad Slack OAuth Scopes The skill, by design as 'power tools', demonstrates capabilities that require a wide range of Slack OAuth scopes, including `channels:manage`, `files:write`, `users:read`, `usergroups:write`, and others. While these are necessary for the documented functionality, deploying a Slack bot with all these scopes grants significant control over the workspace. This increases the blast radius in case of a compromise of the bot's token or the LLM using it. When deploying a Slack bot based on this skill, adhere to the principle of least privilege. Only grant the specific OAuth scopes absolutely necessary for the intended functionality. Consider breaking down the skill into smaller, more specialized skills, each requiring a more limited set of permissions, or using different bot tokens for different sets of operations. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/9ebe8ec43d601f66)
Powered by SkillShield