PRODUCTIVITY

slack-mcp

Reference MCP server for Slack workspace operations: list channels, read messages, post messages, manage threads. Auth via Bot User OAuth Token.

Alive Recommended REVIEWED 2026-05-07
VERDICT

Default for agents that need to read or post Slack. Always scope the bot token to the smallest set of channels — Slack tokens are coarse and the blast radius matters.

What it does

Lets an agent read and write Slack. Tools cover list_channels, get_channel_history, post_message, reply_to_thread, list_users, get_user_profile, and a few more. Auth is a Bot User OAuth Token issued from a Slack app you create in your workspace.

When you actually need it

Three patterns I’ve seen work:

  1. Agent posts daily/weekly summaries. Agent reads a configured channel’s last 24h, summarises, posts a digest in another channel. Standalone — no human in the loop after setup.
  2. Agent triages incoming threads. When a message in #support matches a pattern, the agent reads the thread context, drafts a reply, posts it in a private review channel, waits for approval, then posts publicly.
  3. Agent posts decisions / changes. Used as a notification sink — when an agent does anything material (deploys, bookings, file edits), it posts a one-line “I just did X” to a #agent-log channel for human visibility.

Setup

Create a Slack app at api.slack.com/apps. Add a Bot User. Grant the minimum scopes you need (start with channels:history, chat:write). Install to workspace. Copy the Bot User OAuth Token (starts xoxb-).

"slack": {
  "command": "npx",
  "args": ["-y", "@modelcontextprotocol/server-slack"],
  "env": {
    "SLACK_BOT_TOKEN": "xoxb-…",
    "SLACK_TEAM_ID":   "T01234567"
  }
}

Then, in Slack, invite the bot user to the specific channels you want it to read/write. Don’t add it to #general or #announcements unless you genuinely need it there.

The catch

Slack’s auth model wasn’t designed for autonomous agents. Tokens are scope-based, not channel-based — chat:write writes wherever you’re invited, period. There’s no Slack-side feature that says “this bot can ONLY post in #agent-log.”

Mitigations:

  • One bot per agent purpose. A summariser bot has different scopes than a triage bot. They get separate tokens.
  • Curate the invite list. Treat the list of channels the bot is in as a security artifact. Audit it on the same cadence you audit IAM policies.
  • Watch the workspace audit log. Anyone with admin in the workspace can see every message a bot has posted. Use it.
  • Rate-limit at the prompt level. A loose prompt can trigger Slack tier 2 rate limits; if your agent is allowed to post repeatedly, add a “no more than N posts per hour” rule in the system prompt.
▸ MCP SECURITY SCORECARD Methodology v1.0 · Confidence HIGH · Reviewed 2026-05-07 · Next review due 2026-08-07
METHODOLOGY ↗
ADOPT WITH LIMITS

FOR: Slack workspace operations where the bot's invited channel set is curated and minimal.

Use it. Create a per-purpose Slack app (one bot per agent intent). Grant minimal scopes. Curate the invite list — that's your real ACL. Add a posting-rate cap in the prompt to avoid Slack rate limits.

Maintainer corp

Anthropic + the modelcontextprotocol working group.

Licence MIT

Inherited from the modelcontextprotocol/servers monorepo.

Code review yes
Secrets handling scoped

Bot User OAuth Token passed via env. Server doesn't log or persist it.

Sandbox process
Filesystem access none
Shell access no
Network egress allow-list

Only slack.com APIs.

OAuth handling broad

Slack tokens are per-scope, not per-channel. `chat:write` writes wherever the bot is invited. Curate the invite list as a security artefact.

Default permissions broad

Whatever scopes you grant the bot user become the agent's powers. Default templates are over-broad — start with `chat:write` and `channels:history` only.

Prompt-injection exposure high

Channel messages the agent reads can contain hostile instructions — particularly in user-driven channels (#support, #general). Treat all message content as untrusted text.

Supply chain surface low

MCP SDK + Slack's official @slack/web-api Node client.

Dep CVE surface clean
Rate-limit risk high

Slack's tier 2 rate limits are easy to hit with bursty posting. A loose prompt can land you on a temporary lockout.

Signed releases yes

npm package published with provenance attestations.

Security policy yes
Telemetry none
Data residency cloud

Slack's cloud. Your workspace's region governs storage.

Credential storage memory

Token in process env.

DESTRUCTIVE TOOLS

2 present · human approval optional

  • post_message
  • reply_to_thread

NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't