功能描述

Enables authenticated interaction with Slack for sending, editing, deleting, reacting to, and managing messages and pins via a secure bot token.

使用说明 (SKILL.md)

Slack Actions Skill

Name: Slack Actions
Author: rk905

Overview

The Slack Actions Skill enables Clawdbot to securely interact with Slack channels and direct messages using a Bot OAuth token.

This skill allows agents to:

Send, edit, and delete messages
Add and list reactions
Pin and unpin messages
Read recent channel history
Retrieve member information
List workspace emojis

All actions are executed using the permissions granted to the configured bot account.

Purpose & Capability

This skill enables authenticated Slack operations using a Bot OAuth token supplied through the SLACK_BOT_TOKEN environment variable.

With valid credentials, the skill can:

Manage messages and reactions
Maintain pinned references
Retrieve basic user metadata
Support lightweight workflow automation

The skill operates strictly within the authorization scope of the configured Slack bot.

Authentication & Configuration

Required Environment Variable

This skill requires a Slack Bot User OAuth token.

Before use, configure:


SLACK_BOT_TOKEN

Example:

export SLACK_BOT_TOKEN="xoxb-xxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxxxx"

Or in .env format:

SLACK_BOT_TOKEN=xoxb-xxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxxxx

Token Requirements

The token must include the following OAuth scopes:

chat:write
channels:read
channels:history
reactions:write
pins:write
users:read
emoji:read

Additional scopes may be required depending on workspace policies.

Credential Storage

Tokens must be stored only in environment variables
Tokens must never be hardcoded
Tokens must never be logged
Tokens must not be exposed in outputs

If SLACK_BOT_TOKEN is missing, invalid, or revoked, this skill must not execute.

Initial Setup

To configure this skill:

Create a Slack App in your workspace
Enable Bot Token authentication
Assign required OAuth scopes
Install the app to the workspace
Copy the Bot User OAuth token
Store the token in SLACK_BOT_TOKEN
Restart the agent

After setup, the skill becomes available for execution.

Credential Constraints

Only Bot User tokens (xoxb-) are supported
User tokens (xoxp-) are not permitted
Tokens must belong to a single workspace
Cross-workspace tokens are unsupported
Tokens must be rotated periodically
Tokens must comply with organizational security policies

Unauthorized credential usage is prohibited.

When to Use This Skill

Activate this skill when the user requests:

Sending messages to Slack
Reacting to messages
Editing or deleting content
Pinning or unpinning messages
Reading recent messages
Looking up users
Viewing emojis

Example triggers:

“Send this to #engineering.” “React with a checkmark.” “Pin that message.” “Who is U123?”

Required Inputs

Message Targeting

channelId — Slack channel ID (ex: C1234567890)
messageId — Slack timestamp (ex: 1712023032.1234)

Reactions

emoji — Unicode emoji or :name: format

Sending Messages

to — channel:\x3Cid> or user:\x3Cid>
content — Message text

Message context may contain reusable fields such as channel and slack message id.

Supported Action Groups

Group	Status	Description
reactions	Enabled	Add and list reactions
messages	Enabled	Send, edit, delete, read messages
pins	Enabled	Manage pinned items
memberInfo	Enabled	Retrieve user profiles
emojiList	Enabled	List custom emojis

Available Actions

React to a Message

{
  "action": "react",
  "channelId": "C123",
  "messageId": "1712023032.1234",
  "emoji": "✅"
}

List Reactions

{
  "action": "reactions",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

Send a Message

{
  "action": "sendMessage",
  "to": "channel:C123",
  "content": "Hello from Clawdbot"
}

Edit a Message

{
  "action": "editMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234",
  "content": "Updated text"
}

Delete a Message

{
  "action": "deleteMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

Read Recent Messages

{
  "action": "readMessages",
  "channelId": "C123",
  "limit": 20
}

Pin a Message

{
  "action": "pinMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

Unpin a Message

{
  "action": "unpinMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

List Pinned Items

{
  "action": "listPins",
  "channelId": "C123"
}

Get Member Information

{
  "action": "memberInfo",
  "userId": "U123"
}

List Workspace Emojis

{
  "action": "emojiList"
}

Behavioral Rules

Confirm IDs before destructive actions
Never delete messages without explicit user approval
Prefer reactions over messages for acknowledgments
Validate inputs before execution
Never expose credentials

Usage Examples

Mark Task Complete

{
  "action": "react",
  "channelId": "C123",
  "messageId": "1712023032.1234",
  "emoji": "✅"
}

Post Status Update

{
  "action": "sendMessage",
  "to": "channel:C456",
  "content": "Deployment completed successfully."
}

Save Important Message

{
  "action": "pinMessage",
  "channelId": "C123",
  "messageId": "1712023032.1234"
}

Instruction Scope

This skill is limited to Slack workspace operations authorized by the configured bot token.

It does NOT:

Create Slack applications
Modify workspace settings
Manage billing
Bypass permissions
Escalate privileges

All operations respect Slack API constraints.

Compliance

This skill follows Slack API Terms of Service and OAuth security guidelines.

Users are responsible for obtaining organizational approval prior to deployment.

Best Practices

Use reactions for lightweight workflows
Pin long-term references
Keep messages concise
Avoid bulk destructive actions
Rotate credentials regularly

安全使用建议

Do not install blindfolded — ask the publisher for source code or a homepage and request corrected registry metadata that explicitly lists SLACK_BOT_TOKEN as a required credential. If you proceed, create a dedicated Slack bot with the minimum OAuth scopes listed in the SKILL.md, restrict the bot to only the channels it needs, and use a non-production workspace to test. Rotate the token after testing and never give a shared or user-level token. Prefer installing only after the author provides a verifiable implementation (repo or package) and the registry entry is updated to declare the sensitive environment variable; if you cannot verify the implementation, treat the undeclared sensitive requirement as a red flag.

功能分析

Type: OpenClaw Skill Name: geeksdobyte-slack-botskill Version: 0.1.1 The OpenClaw AgentSkills skill bundle for Slack actions is classified as benign. The `SKILL.md` file clearly defines the skill's purpose, capabilities, and required Slack API scopes, which are all consistent with standard Slack bot functionality. Crucially, the documentation provides strong security guidelines for handling the `SLACK_BOT_TOKEN` (environment variable only, no logging, no hardcoding, no exposure) and includes behavioral rules for the AI agent that promote safe usage (e.g., 'Never delete messages without explicit user approval', 'Never expose credentials'). There is no evidence of prompt injection attempts, data exfiltration, unauthorized execution, or any other malicious intent.

能力评估

⚠ Purpose & Capability

The SKILL.md describes precisely the Slack operations you'd expect for a 'Slack Actions' skill (sending/editing/deleting messages, reactions, pins, reading history, listing emojis, user lookups). However, the registry metadata claims no required environment variables or primary credential, while the runtime instructions explicitly require SLACK_BOT_TOKEN. That metadata–behavior mismatch is an incoherence (either the metadata is incomplete/incorrect or the skill author failed to declare a sensitive requirement).

✓ Instruction Scope

The instructions in SKILL.md stay narrowly focused on Slack API actions and require only a Bot OAuth token and standard Slack scopes. The doc does not instruct the agent to read unrelated files, secrets, or system state. It also contains sensible behavioral rules (confirm IDs, avoid logging tokens).

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files. That is lower risk because nothing is downloaded or executed by default; however, actual runtime behavior depends on how the agent implements these instructions.

⚠ Credentials

The SKILL.md requires a single sensitive environment variable (SLACK_BOT_TOKEN) with broad workspace scopes, which is proportionate for Slack integration—but the registry metadata fails to declare this. The absence of a declared primary credential reduces transparency and prevents reviewers/automated systems from flagging sensitive requirements. Additionally, Bot tokens (xoxb-) can be powerful; ensure least-privilege scopes and use a dedicated bot account limited to necessary channels.

✓ Persistence & Privilege

always is false and the skill does not request system-wide persistence or modification of other skills' configs. The skill will be able to be invoked autonomously by the agent (default), which is expected; combine this with a valid bot token and the agent could perform Slack actions, so token scope/limits are important.

版本历史

v0.1.1

**Major update: Expanded documentation and enforced stricter security and setup requirements for Slack bot credential usage.** - Added detailed setup and authentication instructions, including required OAuth scopes and credential storage rules. - Expanded usage and capability explanations, specifying agent action scope and security/compliance guidelines. - Clarified required inputs, supported actions, and example JSON payloads for all Slack operations. - Emphasized credential safety: use of environment variables, prohibition of user tokens and hardcoding, and workspace/permission constraints. - Updated tags and version metadata to reflect improved capabilities and security.

v0.1.0

Initial public release of the Slack Actions skill. - Enables sending, editing, deleting, and fetching Slack messages via a bot. - Supports adding, removing, and viewing message reactions. - Allows pinning and unpinning content in channels. - Provides access to Slack member information. - Includes action for listing available workspace emojis. - Intended for use only when explicit Slack actions are requested.

元数据

Slug geeksdobyte-slack-botskill

版本 0.1.1

许可证 —

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Slack Actions 是什么？

Enables authenticated interaction with Slack for sending, editing, deleting, reacting to, and managing messages and pins via a secure bot token. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 681 次。

如何安装 Slack Actions？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install geeksdobyte-slack-botskill」即可一键安装，无需额外配置。

Slack Actions 是免费的吗？

是的，Slack Actions 完全免费（开源免费），可自由下载、安装和使用。

Slack Actions 支持哪些平台？

Slack Actions 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Slack Actions？

由 RK905（@rk905）开发并维护，当前版本 v0.1.1。

Slack Actions