🐞 Issue: list_messages in Slack App Requires Token but Doesn't Prompt for It #11
Description
While trying to fetch messages using the list_messages action from the Slack app in the communication category, the system returns a 400 error due to a missing required field: token.
📤 Request Sent:
{
"skip_workflow": true,
"action": "list_messages",
"fields": [
{"key": "chennel id", "value": "C08KAEC7ZKK"}
],
"app": "slack",
"category": "communication"
}❌ Response:
{
"success": false,
"reason": "Not all required fields are set",
"label": "list_messages",
"missing_fields": "token",
"action": "get_search_messages"
}🔍 Problem:
- The Slack app requires a token for listing messages, but the
list_messagesaction does not prompt for the token field in the UI. - As a workaround, a token might be passed through the
fieldssection, but this introduces a security risk, especially if this is exposed to AI or other automated systems. - It’s not secure or user-friendly to expect users to pass sensitive credentials like tokens manually.
⚠️ Security Concern:
Sensitive data like tokens should not be passed manually through input fields, especially when AI is involved. This is a security vulnerability.
🔧 Suggested Fix:
- Update the Slack app definition so that the
tokenfield is clearly prompted in the UI as a required secure credential, not a manual field entry. - Alternatively, the system should fetch the token from saved app credentials (e.g., through backend secrets or OAuth config) rather than asking the user to input it every time.
- Fix the backend logic for the Slack app only, as this issue seems isolated to how it handles credentials for actions like
list_messages.
✅ Expected Behavior:
- Users should not be asked to manually input or pass tokens.
- Errors for missing tokens should be clear, and sensitive fields should be marked as secure credentials.