slack-mcp
Reference MCP server for Slack workspace operations: list channels, read messages, post messages, manage threads. Auth via Bot User OAuth Token.
Default for agents that need to read or post Slack. Always scope the bot token to the smallest set of channels — Slack tokens are coarse and the blast radius matters.
What it does
Lets an agent read and write Slack. Tools cover list_channels, get_channel_history, post_message, reply_to_thread, list_users, get_user_profile, and a few more. Auth is a Bot User OAuth Token issued from a Slack app you create in your workspace.
When you actually need it
Three patterns I’ve seen work:
- Agent posts daily/weekly summaries. Agent reads a configured channel’s last 24h, summarises, posts a digest in another channel. Standalone — no human in the loop after setup.
- Agent triages incoming threads. When a message in
#supportmatches a pattern, the agent reads the thread context, drafts a reply, posts it in a private review channel, waits for approval, then posts publicly. - Agent posts decisions / changes. Used as a notification sink — when an agent does anything material (deploys, bookings, file edits), it posts a one-line “I just did X” to a
#agent-logchannel for human visibility.
Setup
Create a Slack app at api.slack.com/apps. Add a Bot User. Grant the minimum scopes you need (start with channels:history, chat:write). Install to workspace. Copy the Bot User OAuth Token (starts xoxb-).
"slack": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-slack"],
"env": {
"SLACK_BOT_TOKEN": "xoxb-…",
"SLACK_TEAM_ID": "T01234567"
}
}
Then, in Slack, invite the bot user to the specific channels you want it to read/write. Don’t add it to #general or #announcements unless you genuinely need it there.
The catch
Slack’s auth model wasn’t designed for autonomous agents. Tokens are scope-based, not channel-based — chat:write writes wherever you’re invited, period. There’s no Slack-side feature that says “this bot can ONLY post in #agent-log.”
Mitigations:
- One bot per agent purpose. A summariser bot has different scopes than a triage bot. They get separate tokens.
- Curate the invite list. Treat the list of channels the bot is in as a security artifact. Audit it on the same cadence you audit IAM policies.
- Watch the workspace audit log. Anyone with admin in the workspace can see every message a bot has posted. Use it.
- Rate-limit at the prompt level. A loose prompt can trigger Slack tier 2 rate limits; if your agent is allowed to post repeatedly, add a “no more than N posts per hour” rule in the system prompt.
FOR: Slack workspace operations where the bot's invited channel set is curated and minimal.
Use it. Create a per-purpose Slack app (one bot per agent intent). Grant minimal scopes. Curate the invite list — that's your real ACL. Add a posting-rate cap in the prompt to avoid Slack rate limits.
Anthropic + the modelcontextprotocol working group.
Inherited from the modelcontextprotocol/servers monorepo.
Bot User OAuth Token passed via env. Server doesn't log or persist it.
Only slack.com APIs.
Slack tokens are per-scope, not per-channel. `chat:write` writes wherever the bot is invited. Curate the invite list as a security artefact.
Whatever scopes you grant the bot user become the agent's powers. Default templates are over-broad — start with `chat:write` and `channels:history` only.
Channel messages the agent reads can contain hostile instructions — particularly in user-driven channels (#support, #general). Treat all message content as untrusted text.
MCP SDK + Slack's official @slack/web-api Node client.
Slack's tier 2 rate limits are easy to hit with bursty posting. A loose prompt can land you on a temporary lockout.
npm package published with provenance attestations.
Slack's cloud. Your workspace's region governs storage.
Token in process env.
2 present · human approval optional
post_messagereply_to_thread
NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't