mcp-slack

The server handles sensitive Slack authentication tokens (xoxc/xoxd browser tokens or xoxp OAuth tokens) which are passed via environment variables. It implements an optional API key for SSE transport using `subtle.ConstantTimeCompare` to mitigate timing attacks. The 'conversations_add_message' tool is disabled by default and requires explicit environment variable configuration (`SLACK_MCP_ADD_MESSAGE_TOOL`) for safety, with options for whitelisting/blacklisting channels. It supports custom CA certificates and allows explicitly insecure TLS connections (with a strong warning). No obvious 'eval' or malicious obfuscation patterns were found. The use of browser session tokens ('stealth mode') inherently carries a risk as it relies on an active user session, but this is a documented feature and user's choice. Proper handling of `.env` files and secure storage of tokens is paramount.