← Back to Skills Marketplace
therohitdas

Slk

by Rohit Das · GitHub ↗ · v1.0.0
darwin ⚠ suspicious
1243
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install slk
Description
Read, send, search, and manage Slack messages and DMs via the slk CLI. Use when the user asks to check Slack, read channels or DMs, send Slack messages, search Slack, check unreads, manage drafts, view saved items, or interact with Slack workspace. Also use for heartbeat Slack checks. Triggers on "check slack", "any slack messages", "send on slack", "slack unreads", "search slack", "slack threads", "draft on slack", "read slack dms", "message on slack".
Usage Guidance
This skill appears to be what it claims: a macOS Slack CLI that auto-extracts your Slack session so it can act as your user. That requires reading sensitive local data (Keychain, Slack Cookies SQLite, LevelDB) and calling local tools (security, sqlite3, openssl, python3, curl). Before installing, consider: 1) Only install on a personal/trusted machine you control — on shared or managed machines this can expose session tokens; 2) Prefer answering Keychain prompts with 'Allow' rather than 'Always Allow' to avoid silent future access; 3) Inspect the npm package (author/repo) and verify its provenance if you require stronger trust; 4) Be aware a token cache (~/.local/slk/token-cache.json) is created — remove it to force re-extraction if needed; 5) If you plan to let an autonomous agent use this skill, understand it can read and send Slack messages as you (highly privileged for personal account actions). If any of the above is unacceptable, do not install or restrict agent permissions.
Capability Analysis
Type: OpenClaw Skill Name: slk Version: 1.0.0 The skill bundle is classified as suspicious due to its core functionality involving the extraction of sensitive Slack session credentials (xoxc- token and xoxd- cookie) from the macOS Keychain, Slack's SQLite database, and LevelDB files. This is achieved by executing system commands like `security`, `sqlite3`, `openssl`, and `python3` via Node.js `child_process.execSync` and `spawnSync` (primarily in `src/auth.js`). While this capability is high-risk, it is transparently documented in `SKILL.md` and `README.md` as the tool's intended purpose, and there is no evidence of intentional malicious behavior such as unauthorized data exfiltration to external endpoints, persistence mechanisms beyond legitimate caching, or obfuscation. The `SKILL.md` instructions for the AI agent are benign and guide the agent to use the tool for its stated Slack interaction purposes.
Capability Assessment
Purpose & Capability
The skill is a macOS Slack CLI that auto-authenticates by extracting Slack session credentials from the desktop app; the package, binaries, and code (auth.js, api.js, commands.js, drafts.js) all implement that feature. Nothing required by the skill (npm slkcli, 'slk' binary) is unrelated to the stated purpose.
Instruction Scope
SKILL.md and the code instruct the agent to use the slk CLI to read/send/search/manage Slack messages. The implementation explicitly reads the macOS Keychain, copies and queries Slack's Cookies SQLite, scans LevelDB, runs local commands (sqlite3, security, openssl, python3, curl) to extract and validate session tokens. Those actions are sensitive but are required to achieve the 'session-based / acts-as-user' functionality and are documented in the README/SKILL.md.
Install Mechanism
Install is via the public npm package 'slkcli' (creates 'slk' binary). npm is a standard distribution channel for Node CLIs (moderate risk compared to no-install). No arbitrary URL downloads or extract-from-unknown-host are present. Review npm package provenance if you need stronger assurance.
Credentials
The skill requests no environment variables and no external credentials, which is consistent. However, it accesses highly sensitive local artifacts (Slack Safe Storage key from Keychain, Slack Cookies DB, LevelDB session data) because it is intentionally designed to act as the user via session tokens. That access is proportional to the stated capability but materially elevated in sensitivity compared to most CLI tools.
Persistence & Privilege
The skill does not set always:true and is user-invocable. It writes a token cache at ~/.local/slk/token-cache.json and will prompt the macOS Keychain. The README warns about the 'Always Allow' Keychain option — choosing that removes user prompts and allows any process running as your user to extract the same key, increasing risk. Autonomous invocation combined with token access increases blast radius (expected for this kind of tool).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install slk
  3. After installation, invoke the skill by name or use /slk
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the Slack CLI skill for macOS. - Read, send, search, and manage Slack messages and DMs directly via the slk CLI. - Supports Slack channel and DM reading, sending messages, searching, checking unreads, managing drafts, saved items, and viewing threads. - Session-based authentication: auto-extracts user session from Slack desktop app using macOS Keychain (no tokens or OAuth required). - Designed for personal agent workflows and heartbeat checks with extensive command options. - macOS only; acts with user's permissions and session.
Metadata
Slug slk
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Slk?

Read, send, search, and manage Slack messages and DMs via the slk CLI. Use when the user asks to check Slack, read channels or DMs, send Slack messages, search Slack, check unreads, manage drafts, view saved items, or interact with Slack workspace. Also use for heartbeat Slack checks. Triggers on "check slack", "any slack messages", "send on slack", "slack unreads", "search slack", "slack threads", "draft on slack", "read slack dms", "message on slack". It is an AI Agent Skill for Claude Code / OpenClaw, with 1243 downloads so far.

How do I install Slk?

Run "/install slk" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Slk free?

Yes, Slk is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Slk support?

Slk is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin).

Who created Slk?

It is built and maintained by Rohit Das (@therohitdas); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments