Block Secrets in Slack Messages
Blocks Slack send-message tool calls whose message body looks like it contains a secret — API keys, passwords, tokens, or PEM-formatted private keys.
Blocks Slack send-message tool calls whose message body looks like it contains a secret — API keys, passwords, tokens, or PEM-formatted private keys.
Blocks Slack channel-creation tool calls at ingress. Every other Slack tool — and every non-Slack tool — passes through untouched.
Blocks read, search, and summarize operations that target a configurable set of "sensitive" Slack channels.
Blocks Slack message-write calls whose destination resolves to a direct conversation — a 1:1 DM, a message posted to a user ID (which Slack auto-opens as a…
Reusable DTwo policies for Slack MCP servers (the official Anthropic Slack MCP server and compatible implementations).
| Policy | Direction | Purpose |
|---|---|---|
| block-secrets | ingress | Deny send-message calls whose body looks like an API key, password, token, or private key. |
| deny-channel-creation | ingress | Deny Slack channel-creation tool calls; all other Slack tools pass through. |
| deny-read-search-summarize-sensitive-channels | ingress | Deny read, search, and summarize operations targeting sensitive channels (matched by channel ID). |
| deny-direct-messages | ingress | Deny message-write calls addressed to a direct conversation (1:1 DM, user ID, or group DM). |
| redact-sensitive-info | ingress | Redact secrets and PII from outgoing message content to [REDACTED] (transform-only); all other Slack tools pass through. |
DTwo prefixes tool names with the MCP server name configured on the gateway. A Slack MCP server registered as slack-mcp will surface tools like slack-mcp-slack-post-message, while one registered as slack will surface slack-slack-post-message. The policies in this directory match on the suffix (slack-post-message, slack-send-message, etc.) so they stay portable across naming conventions — but you should always confirm the exact tool name your gateway sends using the dump-input debug technique before deploying.
These policies do not require any specific IdP claims. If you want to add identity-based exemptions (e.g., an InfoSec break-glass user), gate the relevant allow rule with object.get(input.subject.claims, "<claim>", "<default>").
To add a Slack policy:
apps/slack/<policy-slug>/ with policy.md and a tests.yaml test file.apps: ["slack"] in the policy frontmatter, plus any industry / bundle slugs that apply.bundles/slack or bundles/im-messaging), link to it from the matching landing page.pnpm manifest from the repo root.See CONTRIBUTING.md for the full process.