registry  /  @elnora-ai/slack  /  0.1.4

@elnora-ai/slack@0.1.4

The entire Slack Web API as a CLI and a Claude Code plugin — 201 methods, agent-friendly JSON, approval-gated sending

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI uses configured Slack credentials for user-invoked Slack Web API operations; its SessionStart hook only performs a local cache-age check.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit elnora-slack command invocation; Claude SessionStart runs hooks/auto-sync.py when the first-party plugin is installed.
Impact
Authorized Slack reads/writes occur only through invoked commands and configured Slack tokens; no install-time mutation, exfiltration endpoint, remote payload execution, or stealth persistence was found.
Mechanism
Allowlisted Slack credential loading and Slack Web API calls; local reference-cache freshness check.
Rationale
The scanner signals are explained by intended Slack-token handling, an OpenAPI specification, and an opt-in local freshness hook. Source inspection found no lifecycle execution, non-Slack exfiltration, dynamic payload execution, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/main.jsdist/client.jsdist/security.jshooks/hooks.jsonhooks/auto-sync.pycommands/slack-sync.mdskills/slack-messages/SKILL.mdtemplates/weekly-digest.ps1references/workspace-users.mdreferences/workspace-channels.md
Network endpoints4
slack.comapi.slack.comwww.slack.comfiles.slack.com

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks.
    • dist/main.js only initializes the user-invoked CLI and command registry.
    • dist/client.js reads only allowlisted Slack token keys from configured .env locations.
    • dist/client.js restricts API traffic to HTTPS Slack hosts.
    • hooks/auto-sync.py only stats local reference-cache files and prints freshness notices.
    • commands/slack-sync.md is explicitly user-invocable and writes only plugin reference caches.
    Behavioral surface
    Source
    EnvironmentVarsFilesystem
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 39 file(s), 230 KB of source, external domains: api.slack.com, slack.com

    Source & flagged code

    3 flagged · loading source
    spec/slack_web_openapi_v2.jsonView file
    19449patternName = slack_bot_token severity = critical line = 19449 matchedText = "access_...gy",
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    spec/slack_web_openapi_v2.jsonView on unpkg · L19449
    19449patternName = slack_bot_token severity = critical line = 19449 matchedText = "access_...gy",
    Critical
    Secret Pattern

    Slack bot token in spec/slack_web_openapi_v2.json

    spec/slack_web_openapi_v2.jsonView on unpkg · L19449
    hooks/auto-sync.pyView file
    path = hooks/auto-sync.py kind = build_helper sizeBytes = 2533 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    hooks/auto-sync.pyView on unpkg

    Findings

    2 Critical2 Medium4 Low
    CriticalCritical Secretspec/slack_web_openapi_v2.json
    CriticalSecret Patternspec/slack_web_openapi_v2.json
    MediumEnvironment Vars
    MediumShips Build Helperhooks/auto-sync.py
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings