chat-logger
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill provides a mechanism to log and retrieve arbitrary chat content, which creates a surface for indirect prompt injection if malicious instructions are stored and later processed by the agent.
- Ingestion points: The
log_message(Python) andlogMessage(Node.js) functions capture all incoming and outgoing chat content in themessagestable. - Boundary markers: Data retrieval functions such as
get_recent_messagesandsearch_messagesdo not wrap the retrieved content in delimiters or provide 'ignore embedded instructions' warnings for the agent context. - Capability inventory: The skill possesses the capability to write to the local filesystem (creating and updating a SQLite database) and allows structured querying of historical data.
- Sanitization: The implementation includes a character limit (10,000 chars) to prevent database bloat, but lacks content sanitization or instruction-filtering for retrieved text.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill records conversation history, potentially capturing sensitive data, credentials, or PII mentioned during chats into a local database file.
- Evidence: The database is stored at
~/.chat_logs/messages.db. While the data is stored locally and no external network exfiltration was detected, the logging of all interactions represents a data exposure surface.
Audit Metadata