waylog-journal
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill instructions explicitly direct the agent to override default security constraints by requesting 'outbound network access' for the command sandbox (e.g., via
sandbox_workspace_write.network_access=true). This action significantly reduces the protections provided by the execution environment.- [COMMAND_EXECUTION]: The Python script (waylog_journal.py) spawns subprocesses to executecodex execandcodex mcp list. The script allows passing arbitrary configuration strings via the--codex-configflag, which are executed by the child processes.- [DATA_EXFILTRATION]: The skill reads local chat transcript files from.waylog/history/*.mdand sends their contents to an external AI model. While it includes a blacklist of regex patterns for common secrets (API keys, JWTs, private keys), regex-based redaction is not an exhaustive protection against accidental data exposure.- [EXTERNAL_DOWNLOADS]: The documentation references and encourages the installation of thewaylogCLI from a third-party GitHub repository (shayne-snap/waylog-cli) using Homebrew or Cargo.- [PROMPT_INJECTION]: (Indirect Prompt Injection Surface) - Ingestion points: The script reads transcripts from
.waylog/history/*.mdinwaylog_journal.py, which contains content from previous chat sessions that could include malicious instructions. - Boundary markers: The skill uses JSON schemas and specific markers (
MANAGED_BEGIN,JOURNAL_BEGIN) to delimit generated content, along with instructions to the model to avoid command execution. - Capability inventory: The skill executes the
codexCLI with enabled network access. - Sanitization: The script performs regex-based redaction and validates model output against a JSON schema to mitigate malicious output.
Audit Metadata