← 返回 Skills 市场
Slack Automator
作者
bytesagain4
· GitHub ↗
· v4.0.0
· MIT-0
554
总下载
0
收藏
1
当前安装
17
版本数
在 OpenClaw 中安装
/install slack-automator
功能描述
Automate Slack messaging, channels, and search with Block Kit. Use when sending scheduled messages, syncing channels, monitoring chats, notifying teams.
安全使用建议
This skill appears to do what it claims, but review and take these precautions before installing/using it:
- Inspect the included script (scripts/script.sh) yourself before running. It will create ~/.slack-automator and write config.json, history.json, schedule.json, and template files there.
- The Slack webhook URL is stored in plaintext at ~/.slack-automator/config.json. Use a webhook that is scoped to a single channel and rotate it if needed. Set file permissions (chmod 600 ~/.slack-automator/config.json) to limit local access.
- The script uses python heredocs with shell-interpolated variables. Avoid passing untrusted content into template save/use or schedule commands to reduce risks from malformed input; prefer simple text values.
- The schedule feature only stores cron data locally; you must create your own cron job to trigger sends. Be careful when enabling automated scheduled sends to production channels.
- If you need stronger security or auditing, consider using a Slack app with scoped OAuth tokens and finer permissions rather than a shared incoming webhook.
If you want me to, I can (a) point out specific lines in scripts/script.sh that would be worth hardening, or (b) produce a checklist of commands to safely inspect and set permissions for the files the skill creates.
功能分析
Type: OpenClaw Skill
Name: slack-automator
Version: 4.0.0
The script 'scripts/script.sh' contains multiple critical command injection vulnerabilities where shell variables are unsafely interpolated into Python heredocs (e.g., in _json_set, _build_payload, and _record_history). Because the script uses triple quotes (e.g., """$value""") to pass data to Python without escaping, an attacker could execute arbitrary Python code by providing a message or configuration value containing triple quotes and Python commands. While this appears to be a significant architectural flaw rather than intentional malware, it represents a high-risk execution environment.
能力评估
Purpose & Capability
Name/description match the included script and SKILL.md. The script implements connecting to a Slack Incoming Webhook, sending messages, templates, and a local schedule store — all coherent with 'Slack Automator'. Required tools (bash, curl, python3) are reasonable for the described functionality.
Instruction Scope
SKILL.md and the script only read/write files under the user's home directory (~/.slack-automator) and perform HTTP POSTs to Slack webhooks. The instructions do not request unrelated files or environment variables. Note: the script embeds user-provided values into Python heredocs via shell interpolation; if you feed untrusted input into commands that save/format templates or schedule messages, malformed input could break the Python snippets or produce unexpected output. This is a local input-safety concern rather than evidence of malicious behavior.
Install Mechanism
No install spec or remote downloads — the skill is instruction-only and ships a local bash script. Nothing is fetched from external arbitrary URLs during installation.
Credentials
The skill requests no environment variables or external credentials; it stores a Slack Incoming Webhook URL locally in ~/.slack-automator/config.json. That is proportionate to its purpose (sending webhook messages).
Persistence & Privilege
The skill persists configuration, history, templates, and schedules under ~/.slack-automator. This is expected for the feature set but gives the script permanent presence in the user's home directory. It does not request platform-wide privileges or modify other skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install slack-automator - 安装完成后,直接呼叫该 Skill 的名称或使用
/slack-automator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v4.0.0
v4.0.0: Complete rewrite with real Slack Webhook integration — send, schedule, templates, format.
v3.0.2
v3.0.2: SKILL.md accurately describes local logging toolkit, no Slack API claims.
v3.0.1
v3.0.1: SKILL.md from script help output
v3.0.0
v3.0.0: SKILL.md aligned with script.sh.
v2.0.1
update
v2.0.0
v2.5 standard: Use-when desc, homepage, source, security fix
v2.3.7
old template -> domain-specific v2.0.0
v2.3.6
old template -> domain-specific v2.0.0
v2.3.5
Quality upgrade
v2.3.4
Quality upgrade: custom functionality
v2.3.3
De-template, unique content, script cleanup
v2.3.2
Quality fix: cleaner docs, removed flags
v2.3.1
Quality improvement: better docs, examples, cleaner text
v2.3.0
Quality fixes: aligned docs with implementation
v2.2.0
Enhanced descriptions for better AI triggering
v1.0.3
Fix commands alignment
v1.0.0
- Initial release of Slack Automator.
- Send messages to channels or direct messages from the command line.
- Manage channels: create, archive, set topic, and view details.
- List and look up users, including search by email.
- Post messages with Block Kit formatting and react to messages.
- Search message history, upload files, and set bot status.
- Supports flexible output formats: table, JSON, and Markdown.
元数据
常见问题
Slack Automator 是什么?
Automate Slack messaging, channels, and search with Block Kit. Use when sending scheduled messages, syncing channels, monitoring chats, notifying teams. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 554 次。
如何安装 Slack Automator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install slack-automator」即可一键安装,无需额外配置。
Slack Automator 是免费的吗?
是的,Slack Automator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Slack Automator 支持哪些平台?
Slack Automator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Slack Automator?
由 bytesagain4(@xueyetianya)开发并维护,当前版本 v4.0.0。
推荐 Skills