Slack: Deny Channel Creation
Blocks Slack channel-creation tool calls at ingress. Every other Slack tool — and every non-Slack tool — passes through untouched.
Blocks Slack channel-creation tool calls at ingress. Every other Slack tool — and every non-Slack tool — passes through untouched.
Blocks read, search, and summarize operations that target a configurable set of "sensitive" Slack channels.
Blocks Slack message-write calls whose destination resolves to a direct conversation — a 1:1 DM, a message posted to a user ID (which Slack auto-opens as a…
A curated bundle of policies for Slack MCP servers. The goal is a sensible default posture for any organization fronting Slack through the DTwo gateway: keep sensitive content from leaking into messages and keep workspace-shape changes (like channel creation) under control.
| Policy | App | Direction | Purpose |
|---|---|---|---|
| deny-channel-creation | slack | ingress | Deny Slack channel-creation tool calls; all other Slack tools pass through. |
| deny-read-search-summarize-sensitive-channels | slack | ingress | Deny read, search, and summarize operations targeting sensitive channels (matched by channel ID). |
| deny-direct-messages | slack | ingress | Deny message-write calls addressed to a direct conversation (1:1 DM, user ID, or group DM). |
| redact-sensitive-info | slack | ingress | Redact secrets and PII from outgoing message content (transform-only — never denies). |
Policy bodies live under
apps/. This page only links to them — see the top-level README for the rationale.
Bundle membership is declared in each policy's policy.md frontmatter (the policy lists bundles: ["slack"]). This page is a human-readable landing page; the generated manifest.json is the machine-readable source of truth. There is intentionally no separate bundle.json artifact — one source of metadata avoids drift.
The bundle's policies are designed to compose cleanly on the same ingress pipeline. deny-channel-creation, deny-read-search-summarize-sensitive-channels, and deny-direct-messages are each default allow := true and deny only their own narrow concern (channel creation; reads/search/summarize of specific channels; message writes to direct conversations), so they never interfere with each other or with other Slack policies attached to the same direction. redact-sensitive-info is also default allow := true but transform-only — it rewrites matching content to [REDACTED] rather than denying, so it layers cleanly with the deny policies on the same direction.
The block-secrets Slack policy lives in the im-messaging bundle (a cross-app instant-messaging hygiene pack). It composes cleanly with this bundle's policies on the same ingress pipeline; add it to your gateway alongside deny-channel-creation if you also want secret-leak protection on Slack messages.
org_id, groups, etc.) vary by deployment. Add these as separate policies in your gateway.*-conversations-history and *-search-messages responses.