slack-mcp-server
v1.1.28Model Context Protocol (MCP) server for Slack Workspaces. This integration supports both Stdio and SSE transports, proxy settings and does not require any permissions or bots being created or approved by Workspace admins
21
Total
12
Critical
5
High
4
Medium
Findings
unknownEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
166:
167: - Never share API tokens
>>> 168: - Keep .env files secure and private
169:
170: ## LicenseEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
16: function resolveBinaryPath() {
17: // If DXT installation then we fix empty variables, it's a DXT bug.
>>> 18: if (process.env.SLACK_MCP_DXT) {
19: if (process.env.SLACK_MCP_XOXC_TOKEN === '${user_config.xoxc_token}') {
20: process.env.SLACK_MCP_XOXC_TOKEN = '';Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
17: // If DXT installation then we fix empty variables, it's a DXT bug.
18: if (process.env.SLACK_MCP_DXT) {
>>> 19: if (process.env.SLACK_MCP_XOXC_TOKEN === '${user_config.xoxc_token}') {
20: process.env.SLACK_MCP_XOXC_TOKEN = '';
21: }Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
18: if (process.env.SLACK_MCP_DXT) {
19: if (process.env.SLACK_MCP_XOXC_TOKEN === '${user_config.xoxc_token}') {
>>> 20: process.env.SLACK_MCP_XOXC_TOKEN = '';
21: }
22: if (process.env.SLACK_MCP_XOXD_TOKEN === '${user_config.xoxd_token}') {Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
20: process.env.SLACK_MCP_XOXC_TOKEN = '';
21: }
>>> 22: if (process.env.SLACK_MCP_XOXD_TOKEN === '${user_config.xoxd_token}') {
23: process.env.SLACK_MCP_XOXD_TOKEN = '';
24: }Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
21: }
22: if (process.env.SLACK_MCP_XOXD_TOKEN === '${user_config.xoxd_token}') {
>>> 23: process.env.SLACK_MCP_XOXD_TOKEN = '';
24: }
25: if (process.env.SLACK_MCP_XOXP_TOKEN === '${user_config.xoxp_token}') {Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
23: process.env.SLACK_MCP_XOXD_TOKEN = '';
24: }
>>> 25: if (process.env.SLACK_MCP_XOXP_TOKEN === '${user_config.xoxp_token}') {
26: process.env.SLACK_MCP_XOXP_TOKEN = '';
27: }Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
24: }
25: if (process.env.SLACK_MCP_XOXP_TOKEN === '${user_config.xoxp_token}') {
>>> 26: process.env.SLACK_MCP_XOXP_TOKEN = '';
27: }
28: if (process.env.SLACK_MCP_ADD_MESSAGE_TOOL === '${user_config.add_message_tool}') {Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
26: process.env.SLACK_MCP_XOXP_TOKEN = '';
27: }
>>> 28: if (process.env.SLACK_MCP_ADD_MESSAGE_TOOL === '${user_config.add_message_tool}') {
29: process.env.SLACK_MCP_ADD_MESSAGE_TOOL = '';
30: }Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
27: }
28: if (process.env.SLACK_MCP_ADD_MESSAGE_TOOL === '${user_config.add_message_tool}') {
>>> 29: process.env.SLACK_MCP_ADD_MESSAGE_TOOL = '';
30: }
31: }Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
37: }
38:
>>> 39: if (process.env.SLACK_MCP_DXT) {
40: return require.resolve(path.join(__dirname, `${binary.name}${binary.suffix}`));
41: } else {Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
47:
48: // Workaround for https://github.com/anthropics/dxt/issues/13
>>> 49: if (process.env.SLACK_MCP_DXT) {
50: const stats = fs.statSync(binPath);
51: const execMask = fs.constants.S_IXUSRDecoded base64 content: r��j{a��br�����˞��w
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: r����趋�/앧$
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��z�?���ȩj{l
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �������� ��j�^�g)
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveNode.js child process spawning
Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.
3: const fs = require('fs');
4: const path = require('path');
>>> 5: const childProcess = require('child_process');
6:
7: const BINARY_MAP = {JavaScript fetch() call
Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.
2: [](https://archestra.ai/mcp-catalog/korotovsky__slack-mcp-server)
3:
>>> 4: Model Context Protocol (MCP) server for Slack Workspaces. The most powerful MCP Slack server — supports Stdio, SSE and HTTP transports, proxy settings, DMs, Group DMs, Smart History fetch (by date or count), may work via OAuth or in complete stealth mode with no permissions and scopes in Workspace 😏.
5:
6: > [!IMPORTANT] High-entropy string (4.6 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.6 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (5.0 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveScan History
| Date | Risk | Findings | Files | Duration |
|---|---|---|---|---|
| Feb 25, 2026 | critical | 21 | 5 | 0.00s |
| Feb 23, 2026 | critical | 21 | 5 | 0.00s |
| Feb 22, 2026 | critical | 21 | 5 | 0.00s |