Skip to content

AI agents

slackctl is built to be driven by AI agents safely. Two features make that work: an MCP server that exposes the commands as tools, and an agent guard that generates host safety rules blocking the irreversible ones.

MCP server

slackctl mcp start

Runs slackctl as a Model Context Protocol server. Each command becomes a tool, annotated read-only / write / destructive so a host can gate writes. The server reuses the active workspace and keyring, and excludes secret and instance flags (--show-token, --workspace, --as-user, --base-url) plus the setup commands (auth, config, init, alias) — an agent can't read your token or switch workspaces.

Install it into a host:

slackctl mcp claude      # Claude Desktop / Code
slackctl mcp cursor
slackctl mcp vscode

Agent guard

slackctl agent guard --host claude-code
slackctl agent guard --host codex
slackctl agent guard --host opencode

Classifies every command from the live tree into read / write / irreversible, then emits host safety config that:

  • hard-blocks irreversible operationsmsg delete, conversations archive/kick/ leave, usergroups disable, files delete, bookmarks remove, canvases delete/ access-delete — across canonical and alias command paths;
  • gates ordinary writes behind approval;
  • leaves reads free.

For Claude Code it also emits a PreToolUse hook that resists quoting and path-prefix obfuscation, and gates the raw slackctl api escape hatch to read-shaped methods only.

What's guaranteed

MCP-only operation is the hard guarantee. The Bash hook is best-effort — it defeats quoting/path tricks but not variable indirection or shell aliases. For an airtight setup, run the agent against the MCP server (or a read-only sandbox) rather than a shell.

Regenerate the guard after upgrading slackctl so new commands are covered:

slackctl agent guard --host claude-code --out .claude/settings.json