Your "simple social engineering" attack sounds like an extremely complex Rube Goldberg machine with little chance of success to me. If the malicious actor is going to call up the victim with some social engineering attack, it seems like it would be a ton easier to just try to get the victim to divulge sensitive info over the phone in the first place (tons of successful social engineering attacks have worked this way) instead of some multi-chain steps of (1) create some prompt, (2) call the victim and try to get then to search for something, in Slack (which has the huge downside of exposing the malicious actor's identity to the victim in the first place), (3) hope the created prompt matches what the user search for and the injection attack worked, and (4) hope the victim clicks on the link.

When it comes to security, it's like the old adage about outrunning a bear: "I don't need to outrun the bear, I just need to outrun you." I can think of tons of attacks that are easier to pull off with a higher chance of success than what this Slack AI injection issue proposes.