Slack token
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A Slack token (xoxb/xoxp/xoxa/xoxr/xoxs-...) was found. Depending on type it can read messages, post as the bot, or act as the installing user.
Why it matters
A Slack token can read channel history, post as the bot, or act as the installing user depending on its type. A leak exposes internal conversations or lets an attacker post convincing messages in your workspace. Slack tokens are long-lived until revoked.
How to fix it
Move the token into an environment variable or secret store, read at runtime. Revoke the exposed token in the Slack app management console and reinstall the app to issue a new one.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo