AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI uses configured Slack credentials for user-invoked Slack Web API operations; its SessionStart hook only performs a local cache-age check.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit elnora-slack command invocation; Claude SessionStart runs hooks/auto-sync.py when the first-party plugin is installed.
Impact
Authorized Slack reads/writes occur only through invoked commands and configured Slack tokens; no install-time mutation, exfiltration endpoint, remote payload execution, or stealth persistence was found.
Mechanism
Allowlisted Slack credential loading and Slack Web API calls; local reference-cache freshness check.
Rationale
The scanner signals are explained by intended Slack-token handling, an OpenAPI specification, and an opt-in local freshness hook. Source inspection found no lifecycle execution, non-Slack exfiltration, dynamic payload execution, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/main.jsdist/client.jsdist/security.jshooks/hooks.jsonhooks/auto-sync.pycommands/slack-sync.mdskills/slack-messages/SKILL.mdtemplates/weekly-digest.ps1references/workspace-users.mdreferences/workspace-channels.md
Network endpoints4
slack.comapi.slack.comwww.slack.comfiles.slack.com
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/main.js only initializes the user-invoked CLI and command registry.
- dist/client.js reads only allowlisted Slack token keys from configured .env locations.
- dist/client.js restricts API traffic to HTTPS Slack hosts.
- hooks/auto-sync.py only stats local reference-cache files and prints freshness notices.
- commands/slack-sync.md is explicitly user-invocable and writes only plugin reference caches.
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcespec/slack_web_openapi_v2.jsonView file
19449patternName = slack_bot_token
severity = critical
line = 19449
matchedText = "access_...gy",
Critical
Critical Secret
Package contains a critical-looking secret pattern.
spec/slack_web_openapi_v2.jsonView on unpkg · L1944919449patternName = slack_bot_token
severity = critical
line = 19449
matchedText = "access_...gy",
Critical
Secret Pattern
Slack bot token in spec/slack_web_openapi_v2.json
spec/slack_web_openapi_v2.jsonView on unpkg · L19449hooks/auto-sync.pyView file
•path = hooks/auto-sync.py
kind = build_helper
sizeBytes = 2533
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
hooks/auto-sync.pyView on unpkgFindings
2 Critical2 Medium4 Low
CriticalCritical Secretspec/slack_web_openapi_v2.json
CriticalSecret Patternspec/slack_web_openapi_v2.json
MediumEnvironment Vars
MediumShips Build Helperhooks/auto-sync.py
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings