Slack hygiene for autonomous AI agents
Slack's OAuth scopes pick capabilities, not the channels they apply to: you can grant an agent 'post messages,' but not 'post only in #status' — one scope covers every channel at once.
For: Platform teams granting agents Slack access beyond a single channel
Slack OAuth scopes let you pick capabilities, but not the channels or recipients they apply to. chat:write lets an agent post in every channel it's in, not just the one you intended; channels:history reads every public channel, not a chosen few; and there's no scope for 'DM teammates but never outsiders.' Apps also tend to request a bundle of scopes to cover many features, so an agent inherits all of it. The gateway is where you narrow that to specific channels and actions, since the scopes can't.
Each of these three ingress policies blocks one specific action and leaves the rest of the Slack tools available. deny-channel-creation stops channel sprawl from an over-eager agent. deny-direct-messages denies writes addressed to a 1:1 DM, a user ID, or a group DM, so the agent stays in channels instead of private conversations. deny-read-search-summarize-sensitive-channels keeps named sensitive channels out of reach for read, search, and summarize.
Add block-secrets from the secrets story and the agent is limited to posting in approved channels with no secrets in the payload. The slack bundle gathers the hygiene set.
Policies in this guide
Slack: Deny Channel Creation
Blocks Slack channel-creation tool calls at ingress. Every other Slack tool — and every non-Slack tool — passes through untouched.
Slack: Deny Sending Direct Messages
Blocks Slack message-write calls whose destination resolves to a direct conversation — a 1:1 DM, a message posted to a user ID (which Slack auto-opens as a…
Slack: Deny Read/Search/Summarize of Sensitive Channels
Blocks read, search, and summarize operations that target a configurable set of "sensitive" Slack channels.